[jira] [Commented] (JAMES-385) Allow to prevent weak ciphers when using useTLS
[ https://issues.apache.org/jira/browse/JAMES-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14483365#comment-14483365 ] Matthieu Baechler commented on JAMES-385: - Does this ticket still need work ? Allow to prevent weak ciphers when using useTLS - Key: JAMES-385 URL: https://issues.apache.org/jira/browse/JAMES-385 Project: James Server Issue Type: Bug Components: SMTPServer Affects Versions: 2.2.0, 2.3.0, 2.3.1, 2.3.2, 3.0-M1, 3.0-M2 Environment: Linux, jdk 1.4 Reporter: Ralf Hauser Assignee: Eric Charles Priority: Critical Fix For: 3.0-beta3, 3.0.0-beta5 Attachments: Cornerstone.patch.zip http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. describe how to secure a client connection to James. openssl s_client -connect pops.mydom.com:995 -cipher EXPORT illustrates that this is possible with james. One might argue that a decent client will never ask the server to negotiate a weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack the account. Please amend the documentation how prevent this from happening by forcing james to only negotiate sessions with 128+ bit session key strength -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
[jira] Commented: (JAMES-385) Allow to prevent weak ciphers when using useTLS
[ http://issues.apache.org/jira/browse/JAMES-385?page=comments#action_12324457 ] Ralf Hauser commented on JAMES-385: --- the same happens with axis client - see AXIS-2216 Allow to prevent weak ciphers when using useTLS - Key: JAMES-385 URL: http://issues.apache.org/jira/browse/JAMES-385 Project: James Type: Bug Versions: 2.2.0 Environment: Linux, jdk 1.4 Reporter: Ralf Hauser Priority: Critical Attachments: Cornerstone.patch.zip http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. describe how to secure a client connection to James. openssl s_client -connect pops.mydom.com:995 -cipher EXPORT illustrates that this is possible with james. One might argue that a decent client will never ask the server to negotiate a weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack the account. Please amend the documentation how prevent this from happening by forcing james to only negotiate sessions with 128+ bit session key strength -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[jira] Commented: (JAMES-385) Allow to prevent weak ciphers when using useTLS
[ http://issues.apache.org/jira/browse/JAMES-385?page=comments#action_12317846 ] Stefano Bagnara commented on JAMES-385: --- For James 3.0 we moved to newer cornerstone libraries. Please try the latest code from svn. You can find cornerstone sources here: https://svn.apache.org/repos/asf/excalibur/trunk/cornerstone/sockets/impl/src/java/org/apache/avalon/cornerstone/blocks/sockets/TLSServerSocketFactory.java Allow to prevent weak ciphers when using useTLS - Key: JAMES-385 URL: http://issues.apache.org/jira/browse/JAMES-385 Project: James Type: Bug Versions: 2.2.0 Environment: Linux, jdk 1.4 Reporter: Ralf Hauser Priority: Critical Attachments: Cornerstone.patch.zip http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. describe how to secure a client connection to James. openssl s_client -connect pops.mydom.com:995 -cipher EXPORT illustrates that this is possible with james. One might argue that a decent client will never ask the server to negotiate a weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack the account. Please amend the documentation how prevent this from happening by forcing james to only negotiate sessions with 128+ bit session key strength -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[jira] Commented: (JAMES-385) Allow to prevent weak ciphers when using useTLS
[ http://issues.apache.org/jira/browse/JAMES-385?page=comments#action_12316328 ] Ralf Hauser commented on JAMES-385: --- Until this is fixed in James (avalon/cornerstone,...), is there a possiblity to configure this globally on a JVM/JRE-wide scale as a work-around (http://forum.java.sun.com/thread.jspa?threadID=646006)? If you are going to fix this, allow to use the cipher-groupings of openssl in a fail-safe way (http://issues.apache.org/bugzilla/show_bug.cgi?id=35765). Allow to prevent weak ciphers when using useTLS - Key: JAMES-385 URL: http://issues.apache.org/jira/browse/JAMES-385 Project: James Type: Bug Versions: 2.2.0 Environment: Linux, jdk 1.4 Reporter: Ralf Hauser Priority: Critical http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. describe how to secure a client connection to James. openssl s_client -connect pops.mydom.com:995 -cipher EXPORT illustrates that this is possible with james. One might argue that a decent client will never ask the server to negotiate a weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack the account. Please amend the documentation how prevent this from happening by forcing james to only negotiate sessions with 128+ bit session key strength -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[jira] Commented: (JAMES-385) Allow to prevent weak ciphers when using useTLS
[ http://issues.apache.org/jira/browse/JAMES-385?page=comments#action_12316068 ] Ralf Hauser commented on JAMES-385: --- see http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1162 for nice tool that gives you all the ciphers your james accepts. Allow to prevent weak ciphers when using useTLS - Key: JAMES-385 URL: http://issues.apache.org/jira/browse/JAMES-385 Project: James Type: Bug Versions: 2.2.0 Environment: Linux, jdk 1.4 Reporter: Ralf Hauser Priority: Critical http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. describe how to secure a client connection to James. openssl s_client -connect pops.mydom.com:995 -cipher EXPORT illustrates that this is possible with james. One might argue that a decent client will never ask the server to negotiate a weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack the account. Please amend the documentation how prevent this from happening by forcing james to only negotiate sessions with 128+ bit session key strength -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
