I *think* you can fix this in your config. ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Consider yourself lucky you're not using UW. I believe you need to recompile it. Nessus thinks I'm good with the setting above. John Amit Thakkar wrote: > Hello, > > I work for an organization that uses a Secure Dovecot server for messaging, > and recently we've had to undergo some security screenings for PKI compliance > (credit card industry standards). However, the screening returned to us a > failure due to the following reason (attributed to our Dovecot server, which > runs on port 993 and is the only "open" port on our firewall): > > Synopsis : The remote service encrypts traffic using a protocol with known > weaknesses. Description : The remote service accepts connections encrypted > using SSL 2.0, which > reportedly suffers fromseveral cryptographic flaws and has been > deprecated for several years. An attacker may be able to exploit these > issues to conduct man-in-the-middle attacks or decrypt communications > between the affected service and clients. See also : > http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's > documentation to disable SSL 2.0 and use SSL > 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for > instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod > _ssl.html for Apache. Risk Factor: Medium > / CVSS Base Score : 2 > (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] > > Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use > only TLS 1.0 ? > > Thank You > > > -- John Gray [EMAIL PROTECTED] AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, De 19711 http://www.agora-net.com
