dovecot - Mar 2012 - IMAP and POP3 per SSL

Hi!
 
I'm new to this list and i could not find a way to search through the
already posted articles, so please forgive me if this subject has been discussed
before.
 
Our security scanner stumbled over the IMAPs server i've set up recently
using dovecot on a RedHat Enterprise 64bit Server.
The security scanner found an error regarding a new SSL security leak named
"BEAST". The exact error number is CVE-2011-3389. Details can be found
here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389

"The internet" has some workarounds for this problem. For example, in
Apache webserver, you need to set

  SSLHonorCipherOrder On

in apache config. This results in the following C-Code being executed:

        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

This setting tells OpenSSL not to honor the Ciper Order sent from the client,
but prefer it's own configured set of CipherSuites. According to Qualis SSL
Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with
this setting is not affected by that BEAST security leak.

Is there a way to implement such a setting into Dovecot, too?

I have created a very quick and dirty solution to avoid being listed on our
internal security problem's list.
This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux
6.2:

*** src/login-common/ssl-proxy-openssl.c        2010-12-30 10:42:54.000000000
+0100
--- src/login-common/ssl-proxy-openssl.c_1      2012-03-20 09:48:28.359508087
+0100
***************
*** 924,930 ****
        X509_STORE *store;
        STACK_OF(X509_NAME) *xnames = NULL;

!       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
        if (*set->ssl_ca != '\0') {
                /* set trusted CA certs */
                store = SSL_CTX_get_cert_store(ssl_ctx);
--- 924,930 ----
        X509_STORE *store;
        STACK_OF(X509_NAME) *xnames = NULL;

!       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_CIPHER_SERVER_PREFERENCE );
        if (*set->ssl_ca != '\0') {
                /* set trusted CA certs */
                store = SSL_CTX_get_cert_store(ssl_ctx);


Of course there should be a way to switch this setting on or off, but my C
programming skills are rather basic ...

So, maybe you have the time to look over it and implement a final solution for
the BEAST problem.

Greetings
Andreas lamprecht

Am 20.03.2012 12:16, schrieb Lamprecht, Andreas:
> Hi!
>  
> I'm new to this list and i could not find a way to search through the
already posted articles, so please forgive me if this subject has been discussed
before.
>  
> Our security scanner stumbled over the IMAPs server i've set up
recently using dovecot on a RedHat Enterprise 64bit Server.
> The security scanner found an error regarding a new SSL security leak named
"BEAST". The exact error number is CVE-2011-3389. Details can be found
here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
> 
> "The internet" has some workarounds for this problem. For
example, in Apache webserver, you need to set
> 
>   SSLHonorCipherOrder On
> 
> in apache config. This results in the following C-Code being executed:
> 
>         SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> 
> This setting tells OpenSSL not to honor the Ciper Order sent from the
client, but prefer it's own configured set of CipherSuites. According to
Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver
configured with this setting is not affected by that BEAST security leak.
> 
> Is there a way to implement such a setting into Dovecot, too?
> 
> I have created a very quick and dirty solution to avoid being listed on our
internal security problem's list.
> This patch is for dovecot 2.0.9 which is included in Redhat Enterprise
Linux 6.2:
> 
> *** src/login-common/ssl-proxy-openssl.c        2010-12-30
10:42:54.000000000 +0100
> --- src/login-common/ssl-proxy-openssl.c_1      2012-03-20
09:48:28.359508087 +0100
> ***************
> *** 924,930 ****
>         X509_STORE *store;
>         STACK_OF(X509_NAME) *xnames = NULL;
> 
> !       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>         if (*set->ssl_ca != '\0') {
>                 /* set trusted CA certs */
>                 store = SSL_CTX_get_cert_store(ssl_ctx);
> --- 924,930 ----
>         X509_STORE *store;
>         STACK_OF(X509_NAME) *xnames = NULL;
> 
> !       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_CIPHER_SERVER_PREFERENCE );
>         if (*set->ssl_ca != '\0') {
>                 /* set trusted CA certs */
>                 store = SSL_CTX_get_cert_store(ssl_ctx);
> 
> 
> Of course there should be a way to switch this setting on or off, but my C
programming skills are rather basic ...
> 
> So, maybe you have the time to look over it and implement a final solution
for the BEAST problem.
> 
> Greetings
> Andreas lamprecht
> 
perhaps look at

http://wiki2.dovecot.org/SSL/DovecotConfiguration

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria