dovecot - Apr 2019 - Secure Client-Initiated Renegotiation

Hello.

I've just tested my system that runs dovecot 2.3.4.1 on debian buster 
with testssl.sh (https://testssl.sh/) and is says:

Secure Renegotiation (CVE-2009-3555)    not vulnerable (OK)
Secure Client-Initiated Renegotiation   VULNERABLE (NOT ok), potential 
DoS threat

Is this a configuration or a compilation issue and how to solve it?

-- 
sergio.

On 11/04/2019 23:28, sergio via dovecot wrote:
> Hello.
>
> I've just tested my system that runs dovecot 2.3.4.1 on debian buster
> with testssl.sh (https://testssl.sh/) and is says:
>
> Secure Renegotiation (CVE-2009-3555)??? not vulnerable (OK)
> Secure Client-Initiated Renegotiation?? VULNERABLE (NOT ok), potential
> DoS threat
>
> Is this a configuration or a compilation issue and how to solve it?
>
This should be interpreted as meaning that client initiated
renegotiation is enabled. The tool does not test whether the software
mitigates the dos threat by limiting the number of negotiations to a
configurable limit.

Having said that, I think that mitigating this in dovecot would require
a code change. What I'm not sure about is whether the best route would
be to turn off client side renegotiation or only limit it. A previous
version of openssl turned it off but then it was re-introduced. That
would require further investigation to understand the best solution.

John