Andre Hübner
2008-Sep-29 12:04 UTC
[Dovecot] disbale to responded to an unrequested SSL Certificate
Hi dovecot-list, just a easy question today ;) Customer did on Server a PCI-Test to test security to fit worldpay requirements. They found a critical risk at pop3s. (and some other things) This is the Textmesage: ############ Family: Remote Shell Access Critical 993/tcp 11875 Description: The remote host responded to an unrequested SSL Certificate. The remote SSL server should have sent back an Error message. This may indicate that the server is vulnerable to a remote flaw in the way that it handles unrequested certificates. You should manually inspect the SSL Server's configuration ############ Background is that we use a wildcard-cert which is installed on ervery machine and fits to servername. So you have to use the accredited Hostname/Servername to make clean ssl connection pop3s/imaps without warnings etc. Problem should be that server sends no error when requested with other hostname. This is significant part from dovecot.conf protocols = imap imaps pop3 pop3s ssl_disable = no ssl_cert_file = "/path/to/*.myhost.com.crt" ssl_key_file = "/path/to/*.myhost.com.key" ssl_ca_file = "/path/to/*.myhost.com.bundle.crt" Is there a Config-Option to send error when ssl-connect ist not established to in cert accredited Hostname/Servername ? Did not found something like this or did not really understand function of the options. I do not know backgrounds to this issue. Cant decide if it would be a security risk or disproportionated wishes of securityexperts but i want to satisfy this costumer. How to handle thos? Thank you Andre
Andre Hübner
2008-Sep-30 15:29 UTC
[Dovecot] disbale to responded to an unrequested SSL Certificate
Hi List,> Hi dovecot-list, > > just a easy question today ;) > > Customer did on Server a PCI-Test to test security to fit worldpay > requirements. > > They found a critical risk at pop3s. (and some other things) > > This is the Textmesage: > ############ > Family: Remote Shell Access Critical 993/tcp 11875 > Description: > The remote host responded to an unrequested SSL Certificate. The remote > SSL server should have > sent back an Error message. This may indicate that the server is > vulnerable to a remote > flaw in the way that it handles unrequested certificates. You should > manually inspect the > SSL Server's configuration > ############ > > Background is that we use a wildcard-cert which is installed on ervery > machine and fits to servername. So you have to use the accredited > Hostname/Servername to make clean ssl connection pop3s/imaps without > warnings etc. > Problem should be that server sends no error when requested with other > hostname. This is significant part from dovecot.conf > > protocols = imap imaps pop3 pop3s > ssl_disable = no > ssl_cert_file = "/path/to/*.myhost.com.crt" > ssl_key_file = "/path/to/*.myhost.com.key" > ssl_ca_file = "/path/to/*.myhost.com.bundle.crt" > > Is there a Config-Option to send error when ssl-connect ist not > established to in cert accredited Hostname/Servername ? Did not found > something like this or did not really understand function of the options. > > I do not know backgrounds to this issue. Cant decide if it would be a > security risk or disproportionated wishes of securityexperts but i want to > satisfy this costumer. > How to handle thos? > > Thank you > Andrecould be the solution to set ssl_listen to hostname where dovecot is running? pretty easy... O.o my tests were successful but would like to obtain other opinions.. Thanks Andre
Christopher J. Buckley
2008-Oct-01 01:43 UTC
[Dovecot] disbale to responded to an unrequested SSL Certificate
Andre H?bner wrote:> Hi dovecot-list, > > just a easy question today ;) > > Customer did on Server a PCI-Test to test security to fit worldpay requirements.NB: PCI is not to fit Worldpay's requirements; but rather the body of PCI-DSS (Visa & Mastercard). 1. What was the scanning tool? Qualys? 2. What level of severity was this flagged as? From when i've done PCI audit's, anything > 2 needed addressing, anything <=2 was able to pass. It may be the case your customer has nothing to worry about with regards to this specific warning... Cheers, -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/
Steffen Kaiser
2008-Oct-02 14:59 UTC
[Dovecot] disbale to responded to an unrequested SSL Certificate
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 30 Sep 2008, Andre H?bner wrote: I may sound like a total ox, but I wonder if the client _requests_ a certificate at all? Till now I thought that the client starts the TLS handshake and the server responses with a certificate, if approrpiate for the cipher both had agreed on. The server has no way to know which symbolic name the client originally used when resolving into an IP. So, to run several Dovecot instances, each configured with one certificate matching the symbolic name of the interface, sounds pretty straight forward to me. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI5OHOVJMDrex4hCIRAkHoAJ4w9NhOXYjKHV1qRWVN0iInH6T+dwCfbkdj 9QYTPIgcapxuNpHLz/Kd3ok=+2EI -----END PGP SIGNATURE-----