dovecot - Sep 2008 - disbale to responded to an unrequested SSL Certificate

Hi dovecot-list,

just a easy question today ;)

Customer did on Server a PCI-Test to test security to fit worldpay requirements.

They found a critical risk at pop3s. (and some other things)

This is the Textmesage:
############
Family: Remote Shell Access Critical 993/tcp 11875
Description:
The remote host responded to an unrequested SSL Certificate. The remote SSL
server should have
sent back an Error message. This may indicate that the server is vulnerable to a
remote
flaw in the way that it handles unrequested certificates. You should manually
inspect the
SSL Server's configuration
############

Background is that we use a wildcard-cert which is installed on ervery machine
and fits to servername. So you have to use the accredited Hostname/Servername to
make clean ssl connection pop3s/imaps without warnings etc.
Problem should be that server sends no error when requested with other hostname.
This is significant part from dovecot.conf

protocols = imap imaps pop3 pop3s
ssl_disable = no
ssl_cert_file = "/path/to/*.myhost.com.crt"
ssl_key_file = "/path/to/*.myhost.com.key"
ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"

Is there a Config-Option to send error when ssl-connect ist not established to
in cert accredited Hostname/Servername ? Did not found something like this or
did not really understand  function of the options.

I do not know backgrounds to this issue. Cant decide if it would be a security
risk or disproportionated wishes of securityexperts but i want to satisfy this
costumer.
How to handle thos?

Thank you
Andre

Hi List,

> Hi dovecot-list,
>
> just a easy question today ;)
>
> Customer did on Server a PCI-Test to test security to fit worldpay 
> requirements.
>
> They found a critical risk at pop3s. (and some other things)
>
> This is the Textmesage:
> ############
> Family: Remote Shell Access Critical 993/tcp 11875
> Description:
> The remote host responded to an unrequested SSL Certificate. The remote 
> SSL server should have
> sent back an Error message. This may indicate that the server is 
> vulnerable to a remote
> flaw in the way that it handles unrequested certificates. You should 
> manually inspect the
> SSL Server's configuration
> ############
>
> Background is that we use a wildcard-cert which is installed on ervery 
> machine and fits to servername. So you have to use the accredited 
> Hostname/Servername to make clean ssl connection pop3s/imaps without 
> warnings etc.
> Problem should be that server sends no error when requested with other 
> hostname. This is significant part from dovecot.conf
>
> protocols = imap imaps pop3 pop3s
> ssl_disable = no
> ssl_cert_file = "/path/to/*.myhost.com.crt"
> ssl_key_file = "/path/to/*.myhost.com.key"
> ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"
>
> Is there a Config-Option to send error when ssl-connect ist not 
> established to in cert accredited Hostname/Servername ? Did not found 
> something like this or did not really understand  function of the options.
>
> I do not know backgrounds to this issue. Cant decide if it would be a 
> security risk or disproportionated wishes of securityexperts but i want to 
> satisfy this costumer.
> How to handle thos?
>
> Thank you
> Andre

could be the solution to set ssl_listen to hostname where dovecot is 
running? pretty easy... O.o
my tests were successful but would like to obtain other opinions..

Thanks
Andre

Andre H?bner wrote:
> Hi dovecot-list,
> 
> just a easy question today ;)
> 
> Customer did on Server a PCI-Test to test security to fit worldpay
requirements.
NB: PCI is not to fit Worldpay's requirements; but rather the body of 
PCI-DSS (Visa & Mastercard).

1. What was the scanning tool? Qualys?
2. What level of severity was this flagged as?  From when i've done PCI 
audit's, anything > 2 needed addressing, anything <=2 was able to
pass.
It may be the case your customer has nothing to worry about with regards 
to this specific warning...

Cheers,

-- 
Kind Regards,           ::   http://www.cjbuckley.net/
Chris Buckley           ::   http://photos.cjbuckley.net/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 30 Sep 2008, Andre H?bner wrote:

I may sound like a total ox, but I wonder if the client _requests_ a 
certificate at all? Till now I thought that the client starts the TLS 
handshake and the server responses with a certificate, if approrpiate for 
the cipher both had agreed on. The server has no way to know which 
symbolic name the client originally used when resolving into an IP.

So, to run several Dovecot instances, each configured with one certificate 
matching the symbolic name of the interface, sounds pretty straight 
forward to me.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI5OHOVJMDrex4hCIRAkHoAJ4w9NhOXYjKHV1qRWVN0iInH6T+dwCfbkdj
9QYTPIgcapxuNpHLz/Kd3ok=+2EI
-----END PGP SIGNATURE-----