Package: courier-ssl
Version: 0.68.2-1

Hello,

POODLE attack can be avoided by disabling of SSLv3.

However, while courier-ssl does support tlsv1_1 and tlsv1_2 by default,
setting TLS_PROTOCOL to anything will disable them and allow only TLS1.
(unless we enable SSL3, of courde).

I can provide proofs, but I don't think it's needed, anyone can verify it
by setting TLS_PROTOCOL to anything and try
"openssl s_client -tls1_1 -connect ..."

The ideal way would be to disable sslv3 by default (but to let admin allow
it if really needed) and allow tls 1.* in either case.

according to courier's author, it should be possible to patch:
http://markmail.org/message/ikpla65xs64liqqh

--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to