On Thu, 30 Jun 2005, Andrew Voltmer wrote:
I am looking for a solution to a security issue related to the WU-IMAP server. I have a security scanning tool that is reporting that my imapd daemon is doing SSL v2 over 993 on my IMAP server. It suggests that I need to disable SSL v2 to prevent any issues related to SSL v2 vulnerabilites. I know this was a major issue with Apache and ISS servers that did SSL v2 support so I assume it may also be an issue in an IMAP environment. Does anyone know a way to disable SSL v2 support in the WU-IMAP server? Thanks.
I don't know what these "issues related to SSL v2 vulnerabilities" are; thus I can not comment intelligently on whether or not it affects IMAP in any way. Are you building UW (not WU) imapd with the latest version of OpenSSL?
SSL IMAP on port 993 is defined to use the SSLv23 method, and the STARTTLS command on port 143 is defined to use the TLSv1 method. Changing to some other method can break interoperability between clients and servers. There have been interoperability problems with clients that incorrectly chose SSLv23 instead of TLSv1 when doing TLS on port 143.
If you really need to disable SSL v2, then it may be that the best thing is simply to disable port 993 service and require that everybody use port 143 and STARTTLS. This has the additional desirable side effect of breaking clients that do SSL but not TLS, thus forcing your users to use good TLS-capable IMAP clients such as Pine. :-)
-- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
