Public bug reported:
According to testssl postfix is vulnerable to "Secure Client-Initiated
Renegotiation" DoS according to testssl, and there seems to be no
obvious way to change this using configuration:
testssl@sendar:~$ ./testssl.sh -t smtp 127.0.0.1:25
...
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
1) root@sendar:/home/lilux/alain# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
2) root@sendar:/home/lilux/alain# apt-cache policy postfix
postfix:
Installed: 2.11.0-1ubuntu1
Candidate: 2.11.0-1ubuntu1
Version table:
*** 2.11.0-1ubuntu1 0
500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.11.0-1 0
500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
3) What I expected to happen
Postfix should either be resilient to this out of the box, or there
should be a config option to make it so
4) What happened instead
Postfix is vulnerable to this condition, without an obvious way to
change this using configuration.
** Affects: postfix (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591706
Title:
postfix is vulnerable to "Secure Client-Initiated Renegotiation" DoS
according to testssl
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1591706/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
