Package: courier-ssl Version: 0.68.2-1 Hello,
POODLE attack can be avoided by disabling of SSLv3. However, while courier-ssl does support tlsv1_1 and tlsv1_2 by default, setting TLS_PROTOCOL to anything will disable them and allow only TLS1. (unless we enable SSL3, of courde). I can provide proofs, but I don't think it's needed, anyone can verify it by setting TLS_PROTOCOL to anything and try "openssl s_client -tls1_1 -connect ..." The ideal way would be to disable sslv3 by default (but to let admin allow it if really needed) and allow tls 1.* in either case. according to courier's author, it should be possible to patch: http://markmail.org/message/ikpla65xs64liqqh -- Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

