Hi! Tony Galecki via Info-cyrus wrote on 02/03/16 03:57: > I’m trying to figure out how to make my Cyrus install to not be susceptible to > the drown issue. > I have tried limiting the ciphers to TLSv1.2 but haven’t had much success.
Limiting the cipher list does not deactive protocol support in OpenSSL. I don't know which patches Fedora backported from 2.4.18, but it seems not enough, because 2.4.18 disables SSLv2/v3 by default and you can set tls_versions: ... in your config. Setting these is the only way to get rid of the protocolls themself. On older cyrus versions you can set tlsonly: 1 but this can/will limit your protocoll support to TLSv1, with disabled v1.1 and v1.2, because TLSv1_server_method() was used. You do not need to rebuild OpenSSL. I would check the SPEC File of the CentOS 7 RPM which patches they included. If the TLS changes were not backported I would try to build one of the newer 2.4.18 SRPMs for Fedora (eg. 23) on CentOS 7. Greetings, Wolfgang -- Wolfgang Breyha <wbre...@gmx.net> | http://www.blafasel.at/ Vienna University Computer Center | Austria ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
