All: A lot of projects(1) are analyzing how their specific protocol may be specifically vulnerable due to the recently release TLS/SSL protocol-level vulnerability(2) involving client re-negotiations.
With couriertcpd(8), does the SSL wrapper present the same limitation for cleartext protocols like SMTP and IMAP? Does the client or server SMTP code utilize renegotiations? I would think not. My understanding would be that, with SSL certificate exchange, other than validating the identity of a client/server connection against global PKI (Trusted CAs for signed mail server certificates), at no point during a single SMTP or IMAP transaction would a new certificate be presented for additional security credentials. Of course, that doesn't mean the session cannot be hijacked for data injection (Bypassing a relay restriction in ESTMPD, for example) SQWebmail sessions could be taken over, as well, I suppose. FreeBSD has disabled renegotiation support at the library-level for the in-tree OpenSSL. Apache has disabled renegotiation in the daemon code. I'm curious what our approach will be. 1. OpenLDAP: http://www.openldap.org/lists/ietf-ldapext/200911/msg00000.html 2. http://extendedsubset.com/?p=8 Thanks, ~BAS ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
