Am 20.03.2012 12:32, schrieb Robert Schetterer: > Am 20.03.2012 12:16, schrieb Lamprecht, Andreas: >> Hi! >> >> I'm new to this list and i could not find a way to search through the >> already posted articles, so please forgive me if this subject has been >> discussed before. >> >> Our security scanner stumbled over the IMAPs server i've set up recently >> using dovecot on a RedHat Enterprise 64bit Server. >> The security scanner found an error regarding a new SSL security leak named >> "BEAST". The exact error number is CVE-2011-3389. Details can be found here: >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 >> >> "The internet" has some workarounds for this problem. For example, in Apache >> webserver, you need to set >> >> SSLHonorCipherOrder On >> >> in apache config. This results in the following C-Code being executed: >> >> SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); >> >> This setting tells OpenSSL not to honor the Ciper Order sent from the >> client, but prefer it's own configured set of CipherSuites. According to >> Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver >> configured with this setting is not affected by that BEAST security leak. >> >> Is there a way to implement such a setting into Dovecot, too? >> >> I have created a very quick and dirty solution to avoid being listed on our >> internal security problem's list. >> This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux >> 6.2: >> >> *** src/login-common/ssl-proxy-openssl.c 2010-12-30 >> 10:42:54.000000000 +0100 >> --- src/login-common/ssl-proxy-openssl.c_1 2012-03-20 >> 09:48:28.359508087 +0100 >> *************** >> *** 924,930 **** >> X509_STORE *store; >> STACK_OF(X509_NAME) *xnames = NULL; >> >> ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); >> if (*set->ssl_ca != '\0') { >> /* set trusted CA certs */ >> store = SSL_CTX_get_cert_store(ssl_ctx); >> --- 924,930 ---- >> X509_STORE *store; >> STACK_OF(X509_NAME) *xnames = NULL; >> >> ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | >> SSL_OP_CIPHER_SERVER_PREFERENCE ); >> if (*set->ssl_ca != '\0') { >> /* set trusted CA certs */ >> store = SSL_CTX_get_cert_store(ssl_ctx); >> >> >> Of course there should be a way to switch this setting on or off, but my C >> programming skills are rather basic ... >> >> So, maybe you have the time to look over it and implement a final solution >> for the BEAST problem. >> >> Greetings >> Andreas lamprecht >> > > perhaps look at > > http://wiki2.dovecot.org/SSL/DovecotConfiguration >
and perhaps have a look at http://hg.dovecot.org/dovecot-2.0/rev/e3d46fd04105 and upgrade your dove version to dovecot 2.0.18 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria