I *think* you can fix this in your config.
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Consider yourself lucky you're not using UW. I believe you need to
recompile it.
Nessus thinks I'm good with the setting above.
John
Amit Thakkar wrote:> Hello,
>
> I work for an organization that uses a Secure Dovecot server for messaging,
and recently we've had to undergo some security screenings for PKI
compliance (credit card industry standards). However, the screening returned to
us a failure due to the following reason (attributed to our Dovecot server,
which runs on port 993 and is the only "open" port on our firewall):
>
> Synopsis : The remote service encrypts traffic using a protocol with known
> weaknesses. Description : The remote service accepts connections encrypted
using SSL 2.0, which
> reportedly suffers fromseveral cryptographic flaws and has been
> deprecated for several years. An attacker may be able to exploit these
> issues to conduct man-in-the-middle attacks or decrypt communications
> between the affected service and clients. See also :
http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's
documentation to disable SSL 2.0 and use SSL
> 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for
instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for
Apache. Risk Factor: Medium
> / CVSS Base Score : 2
> (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
>
> Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use
only TLS 1.0 ?
>
> Thank You
>
>
>
--
John Gray gray at agora-net.com
AgoraNet, Inc. (302) 224-2475
314 E. Main Street, Suite 1 (302) 224-2552 (fax)
Newark, De 19711 http://www.agora-net.com