I have dovecot running as a pop3s server on port 995 it works great with sendmail and I run nessus to check security issues nessus reports this The SSLv2 server offers 3 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack Solution: disable those ciphers and upgrade your client software if necessary I have previously disabled weak ciphers in apache but cannot figure out how to disable the weak ciphers in dovecot Any help would be appreciated john -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://dovecot.org/pipermail/dovecot/attachments/20040423/fe036c98/attachment-0002.html>
I have dovecot running as a pop3s server on port 995 it works great with sendmail and I run nessus to check security issues nessus reports this The SSLv2 server offers 3 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack Solution: disable those ciphers and upgrade your client software if necessary I have previously disabled weak ciphers in apache but cannot figure out how to disable the weak ciphers in dovecot Any help would be appreciated john -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://dovecot.org/pipermail/dovecot/attachments/20040423/2be963a3/attachment-0003.html>
I have dovecot running as a pop3s server on port 995 it works great with sendmail and I run nessus to check security issues nessus reports this The SSLv2 server offers 3 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack Solution: disable those ciphers and upgrade your client software if necessary I have previously disabled weak ciphers in apache but cannot figure out how to disable the weak ciphers in dovecot Any help would be appreciated john -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://dovecot.org/pipermail/dovecot/attachments/20040423/7349f8f3/attachment-0003.html>
On Fri, 2004-04-23 at 17:51, John Wentworth wrote:> I have previously disabled weak ciphers in apache > but cannot figure out how to disable the weak ciphers in > dovecot > Any help would be appreciatedCurrently you'd have to edit src/login-common/ssl-proxy-openssl.c by hand. Default is #define SSL_CIPHER_LIST "ALL:!LOW". I guess Nessus has different idea of weak ciphers than OpenSSL. I'll add in TODO that this should be configurable in config file as well. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040426/2b7d4172/attachment-0001.bin>