[ http://issues.apache.org/jira/browse/JAMES-385?page=comments#action_12316328 ]
Ralf Hauser commented on JAMES-385: ----------------------------------- Until this is fixed in James (avalon/cornerstone,...), is there a possiblity to configure this globally on a JVM/JRE-wide scale as a work-around (http://forum.java.sun.com/thread.jspa?threadID=646006)? If you are going to fix this, allow to use the cipher-groupings of openssl in a fail-safe way (http://issues.apache.org/bugzilla/show_bug.cgi?id=35765). > Allow to prevent weak ciphers when using "useTLS" > ------------------------------------------------- > > Key: JAMES-385 > URL: http://issues.apache.org/jira/browse/JAMES-385 > Project: James > Type: Bug > Versions: 2.2.0 > Environment: Linux, jdk 1.4 > Reporter: Ralf Hauser > Priority: Critical > > http://james.apache.org/usingTLS_2_1.html and > http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. > describe how to secure a client connection to James. > openssl s_client -connect pops.mydom.com:995 -cipher EXPORT > illustrates that this is possible with james. > One might argue that a decent client will never ask the server to negotiate a > weak cipher. But an attacker (man-in-the-middle) could remove stronger > ciphers from the client's offered cipher list, and then break the weak cipher > and e.g. obtain the user password to later hijack the account. > Please amend the documentation how prevent this from happening by forcing > james to only negotiate sessions with 128+ bit session key strength -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
