We had an auditor that stated that our stock compiled UW imapd allows
low-grade ciphers (64-bit key length and below), and was asked to disabled
this.
After poking around a bit, I encountered:
imap-2006a/src/osdep/unix/ssl_unix.c:#define SSLCIPHERLIST "ALL:!LOW"
which is fed to SSL_CTX_set_cipher_list().
It is my understanding that this will only disable LOW-grade ciphers (56
and 64-bit ciphers), while still allowing EXPORT-grade ciphers (at least
the 40-bit ciphers). I could be wrong here. This also assumes that OpenSSL
was compiled without any effort to disable any ciphers.
Shouldn't SSLCIPHERLIST by default be "ALL:!LOW:!EXP" in so that all
ciphers with a key-length of less than or equal to 64-bits are disabled?
Thanks,
Jorgen
--
_______________________________________________________________________
Jorgen Wahlsten phone: +1-212-522-6194
Principal Systems Engineer AIM: jorgenwahlsten
Time Inc. Internet Technologies YIM: jorgenwahlsten
http://www.time.com/time/ ICQ: 171198501
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
