BTW. Dovecot v1.1 has by default: ssl_cipher_list = ALL:!LOW:!SSLv2
I'd think that's enough to fix this too. On Tue, 2008-09-30 at 10:23 -0400, John Gray wrote: > I *think* you can fix this in your config. > > ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM > > Consider yourself lucky you're not using UW. I believe you need to > recompile it. > > Nessus thinks I'm good with the setting above. > > John > > Amit Thakkar wrote: > > Hello, > > > > I work for an organization that uses a Secure Dovecot server for messaging, > > and recently we've had to undergo some security screenings for PKI > > compliance (credit card industry standards). However, the screening > > returned to us a failure due to the following reason (attributed to our > > Dovecot server, which runs on port 993 and is the only "open" port on our > > firewall): > > > > Synopsis : The remote service encrypts traffic using a protocol with known > > weaknesses. Description : The remote service accepts connections encrypted > > using SSL 2.0, which > > reportedly suffers fromseveral cryptographic flaws and has been > > deprecated for several years. An attacker may be able to exploit these > > issues to conduct man-in-the-middle attacks or decrypt communications > > between the affected service and clients. See also : > > http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's > > documentation to disable SSL 2.0 and use SSL > > 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for > > instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod > > _ssl.html for Apache. Risk Factor: Medium > > / CVSS Base Score : 2 > > (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] > > > > Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use > > only TLS 1.0 ? > > > > Thank You > > > > > > > >
signature.asc
Description: This is a digitally signed message part