Hi! I'm new to this list and i could not find a way to search through the already posted articles, so please forgive me if this subject has been discussed before. Our security scanner stumbled over the IMAPs server i've set up recently using dovecot on a RedHat Enterprise 64bit Server. The security scanner found an error regarding a new SSL security leak named "BEAST". The exact error number is CVE-2011-3389. Details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set SSLHonorCipherOrder On in apache config. This results in the following C-Code being executed: SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is not affected by that BEAST security leak. Is there a way to implement such a setting into Dovecot, too? I have created a very quick and dirty solution to avoid being listed on our internal security problem's list. This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux 6.2: *** src/login-common/ssl-proxy-openssl.c 2010-12-30 10:42:54.000000000 +0100 --- src/login-common/ssl-proxy-openssl.c_1 2012-03-20 09:48:28.359508087 +0100 *************** *** 924,930 **** X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx); --- 924,930 ---- X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE ); if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx); Of course there should be a way to switch this setting on or off, but my C programming skills are rather basic ... So, maybe you have the time to look over it and implement a final solution for the BEAST problem. Greetings Andreas lamprecht
Am 20.03.2012 12:16, schrieb Lamprecht, Andreas:> Hi! > > I'm new to this list and i could not find a way to search through the already posted articles, so please forgive me if this subject has been discussed before. > > Our security scanner stumbled over the IMAPs server i've set up recently using dovecot on a RedHat Enterprise 64bit Server. > The security scanner found an error regarding a new SSL security leak named "BEAST". The exact error number is CVE-2011-3389. Details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 > > "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set > > SSLHonorCipherOrder On > > in apache config. This results in the following C-Code being executed: > > SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); > > This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is not affected by that BEAST security leak. > > Is there a way to implement such a setting into Dovecot, too? > > I have created a very quick and dirty solution to avoid being listed on our internal security problem's list. > This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux 6.2: > > *** src/login-common/ssl-proxy-openssl.c 2010-12-30 10:42:54.000000000 +0100 > --- src/login-common/ssl-proxy-openssl.c_1 2012-03-20 09:48:28.359508087 +0100 > *************** > *** 924,930 **** > X509_STORE *store; > STACK_OF(X509_NAME) *xnames = NULL; > > ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); > if (*set->ssl_ca != '\0') { > /* set trusted CA certs */ > store = SSL_CTX_get_cert_store(ssl_ctx); > --- 924,930 ---- > X509_STORE *store; > STACK_OF(X509_NAME) *xnames = NULL; > > ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE ); > if (*set->ssl_ca != '\0') { > /* set trusted CA certs */ > store = SSL_CTX_get_cert_store(ssl_ctx); > > > Of course there should be a way to switch this setting on or off, but my C programming skills are rather basic ... > > So, maybe you have the time to look over it and implement a final solution for the BEAST problem. > > Greetings > Andreas lamprecht >perhaps look at http://wiki2.dovecot.org/SSL/DovecotConfiguration -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Possibly Parallel Threads
- [RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions
- [PATCH] Fix for client certificate validation does not work
- Dovecote 1.2.17 poodle
- [PATCH] Use SSL_MODE_RELEASE_BUFFERS if available to keep memory usage low
- disabling SSLv2 in dovecot 1.2.17