On 2022-05-13 5:02 pm, Greg Earle wrote:> Hello,
>
> At work I'm running a Dovecot 2.3.15 server on a RHEL 7.9 system with
> OpenSSL 1.0.2k.
>
> Our IT Security people are threatening to shut it down because of this:
>
>> We were notified of a possible TLS renegotiation vulnerability on
>> [FQHN].
>>
>> [Parent organization] ticket NNNNNNN is open to track efforts.
>>
>> We conducted a manual test on the site for TLS Renegotiation on IMAP
>> port 993.
>>
>> We found that this was set to enabled.
>>
>> In order to remediate we will need to either:
>>
>> 1. Disable Renegotiation (preferred)
>> 2. Set a max aggregated renegotiation
>>
>> Please remediate as soon as possible.
>>
>> References:
>>
>> https://support.f5.com/csp/article/K15278
>>
>> https://nvd.nist.gov/vuln/detail/cve-2011-1473
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>
> I did some Googling and among the results, I found a few old posts from
> this mailing list among them, which to summarize basically seemed to
> say "Yeah, we could write some code ... " but that was about it.
>
> The IT Security rep sent me a reference to an ancient Red Hat article
>
> https://access.redhat.com/articles/23543
>
> which is hysterical - ancient history, references NSS and Tomcat,
> suggests changes to an add-on product (Red Hat Certificate Server) that
> is EOL, etc.
>
> Is there any way to mitigate this issue?
>
> (The only thing I can think of is to upgrade the Dovecot server to RHEL
> 8 and restrict connections to only TLSv1.3, but that ain't gonna happen
> overnight.)
>
> Thanks,
>
> - Greg
Greg,
I believe this to be a configuration error, not a dovecot problem. The
output of dovecot -n (as an attachment; look it over for any data you do
not want publicized) would help to suggest changes to bring you back
into compliance.
Regards,
Elisamuel Resto