Re: [courier-users] [PATCH] disable aNULL-ciphers, maybe enable medium ciphers

2009-08-12 Thread Sam Varshavchik 

Hanno Böck writes:

Bernd Wurst told me that our cipher string (we're maintaining the server 
together) got once used as the default for courier, so you probably have that 
problem as well ;-)


Yeah, I think he was the one that came up with the defaults.

Defaults changed. I kept the MEDIUM ciphers switched off. The man page does 
not really say that MEDIUM includes the 128 bit ciphers, just "some of 
those". So, let's stick with HIGH ciphers only, and let OpenSSL decide 
what's a medium cipher and what's a high cipher.





pgpQp3w8wipqn.pgp
Description: PGP signature
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] [PATCH] disable aNULL-ciphers, maybe enable medium ciphers

2009-08-12 Thread Hanno Böck 
Hi,

On some investigation of my servers, I found that my common ssl cipher string 
enables the aNULL-ciphers. Those are ciphers without any authentication of the 
server certificate and their usage is discouraged.

Bernd Wurst told me that our cipher string (we're maintaining the server 
together) got once used as the default for courier, so you probably have that 
problem as well ;-)

Beside, the current default string in courier disables the medium ciphers 
(which are mainly 128 bit ciphers). I think they're perfectly okay and it's 
quite questionable if the high ciphers are an improvement (e.g. the recent 
theoretical aes attacks only work on the 256bit version, not the 128 one).

So I'm providing you two patches and ask that you apply at least one.
courier-0.62.2-sslcipherstring-anull.diff : disable aNULL
courier-0.62.2-sslcipherstring-anull-medium.diff : disable aNULL and enable 
MEDIUM

-- 
Hanno Böck  Blog:   http://www.hboeck.de/
GPG: 3DBD3B20   Jabber/Mail:ha...@hboeck.de

http://schokokeks.org - professional webhosting
diff -Naur courier-0.62.2/courier/courierd.dist.in courier-0.62.2-sslstring/courier/courierd.dist.in
--- courier-0.62.2/courier/courierd.dist.in	2008-07-13 16:54:48.0 +0200
+++ courier-0.62.2-sslstring/courier/courierd.dist.in	2009-08-12 16:28:52.0 +0200
@@ -269,7 +269,7 @@
 #
 # OpenSSL:
 #
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
 #
 # To enable SSL2, remove the obvious "!SSLv2" part from the above list.
 #
diff -Naur courier-0.62.2/courier/module.esmtp/esmtpd.dist.in courier-0.62.2-sslstring/courier/module.esmtp/esmtpd.dist.in
--- courier-0.62.2/courier/module.esmtp/esmtpd.dist.in	2009-06-02 05:04:25.0 +0200
+++ courier-0.62.2-sslstring/courier/module.esmtp/esmtpd.dist.in	2009-08-12 16:28:52.0 +0200
@@ -139,7 +139,7 @@
 # When using the SSL23 protocol setting (see above), the following setting
 # should turn off SSL2 (leaving just SSL3 and TLS1) and all anonymous ciphers:
 #
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
 #
 # GnuTLS:
 #
diff -Naur courier-0.62.2/courier/module.esmtp/esmtpd-ssl.dist.in courier-0.62.2-sslstring/courier/module.esmtp/esmtpd-ssl.dist.in
--- courier-0.62.2/courier/module.esmtp/esmtpd-ssl.dist.in	2008-07-12 22:17:24.0 +0200
+++ courier-0.62.2-sslstring/courier/module.esmtp/esmtpd-ssl.dist.in	2009-08-12 16:28:52.0 +0200
@@ -163,7 +163,7 @@
 #
 # OpenSSL:
 #
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
 #
 # To enable SSL2, remove the obvious "!SSLv2" part from the above list.
 #
diff -Naur courier-0.62.2/imap/imapd-ssl.dist.in courier-0.62.2-sslstring/imap/imapd-ssl.dist.in
--- courier-0.62.2/imap/imapd-ssl.dist.in	2008-07-12 22:17:24.0 +0200
+++ courier-0.62.2-sslstring/imap/imapd-ssl.dist.in	2009-08-12 16:28:52.0 +0200
@@ -147,7 +147,7 @@
 #
 # OpenSSL:
 #
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
 #
 # To enable SSL2, remove the obvious "!SSLv2" part from the above list.
 #
diff -Naur courier-0.62.2/imap/pop3d-ssl.dist.in courier-0.62.2-sslstring/imap/pop3d-ssl.dist.in
--- courier-0.62.2/imap/pop3d-ssl.dist.in	2008-07-12 22:17:25.0 +0200
+++ courier-0.62.2-sslstring/imap/pop3d-ssl.dist.in	2009-08-12 16:28:52.0 +0200
@@ -134,7 +134,7 @@
 #
 # OpenSSL:
 #
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
 #
 # To enable SSL2, remove the obvious "!SSLv2" part from the above list.
 #
diff -Naur courier-0.62.2/tcpd/libcouriertls.c courier-0.62.2-sslstring/tcpd/libcouriertls.c
--- courier-0.62.2/tcpd/libcouriertls.c	2009-06-27 18:32:50.0 +0200
+++ courier-0.62.2-sslstring/tcpd/libcouriertls.c	2009-08-12 16:28:52.0 +0200
@@ -567,7 +567,7 @@
 	SSL_CTX_set_options(ctx, SSL_OP_ALL);
 
 	if (!ssl_cipher_list)
-		ssl_cipher_list="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength";
+		ssl_cipher_list="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength";
 
 	SSL_CTX_set_cipher_list(ctx, ssl_cipher_list);
 	SSL_CTX_set_timeout(ctx, session_timeout);
diff -Naur courier-0.62.2/courier/courierd.dist.in courier-0.62.2-sslstring/courier/courierd.dist.in
--- courier-0.62.2/courier/courierd.dist.in	2008-07-13 16:54:48.0 +0200
+++ courier-0.62.2-sslstring/courier/courierd.dist.in	2009-08-12 16:29:57.0 +0200
@@ -269,7 +269,7 @@
 #
 # OpenSSL:
 #
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIP