Hi,
On some investigation of my servers, I found that my common ssl cipher string
enables the aNULL-ciphers. Those are ciphers without any authentication of the
server certificate and their usage is discouraged.
Bernd Wurst told me that our cipher string (we're maintaining the server
together) got once used as the default for courier, so you probably have that
problem as well ;-)
Beside, the current default string in courier disables the medium ciphers
(which are mainly 128 bit ciphers). I think they're perfectly okay and it's
quite questionable if the high ciphers are an improvement (e.g. the recent
theoretical aes attacks only work on the 256bit version, not the 128 one).
So I'm providing you two patches and ask that you apply at least one.
courier-0.62.2-sslcipherstring-anull.diff : disable aNULL
courier-0.62.2-sslcipherstring-anull-medium.diff : disable aNULL and enable
MEDIUM
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de
http://schokokeks.org - professional webhosting
diff -Naur courier-0.62.2/courier/courierd.dist.in courier-0.62.2-sslstring/courier/courierd.dist.in
--- courier-0.62.2/courier/courierd.dist.in 2008-07-13 16:54:48.0 +0200
+++ courier-0.62.2-sslstring/courier/courierd.dist.in 2009-08-12 16:28:52.0 +0200
@@ -269,7 +269,7 @@
#
# OpenSSL:
#
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
#
# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
#
diff -Naur courier-0.62.2/courier/module.esmtp/esmtpd.dist.in courier-0.62.2-sslstring/courier/module.esmtp/esmtpd.dist.in
--- courier-0.62.2/courier/module.esmtp/esmtpd.dist.in 2009-06-02 05:04:25.0 +0200
+++ courier-0.62.2-sslstring/courier/module.esmtp/esmtpd.dist.in 2009-08-12 16:28:52.0 +0200
@@ -139,7 +139,7 @@
# When using the SSL23 protocol setting (see above), the following setting
# should turn off SSL2 (leaving just SSL3 and TLS1) and all anonymous ciphers:
#
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
#
# GnuTLS:
#
diff -Naur courier-0.62.2/courier/module.esmtp/esmtpd-ssl.dist.in courier-0.62.2-sslstring/courier/module.esmtp/esmtpd-ssl.dist.in
--- courier-0.62.2/courier/module.esmtp/esmtpd-ssl.dist.in 2008-07-12 22:17:24.0 +0200
+++ courier-0.62.2-sslstring/courier/module.esmtp/esmtpd-ssl.dist.in 2009-08-12 16:28:52.0 +0200
@@ -163,7 +163,7 @@
#
# OpenSSL:
#
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
#
# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
#
diff -Naur courier-0.62.2/imap/imapd-ssl.dist.in courier-0.62.2-sslstring/imap/imapd-ssl.dist.in
--- courier-0.62.2/imap/imapd-ssl.dist.in 2008-07-12 22:17:24.0 +0200
+++ courier-0.62.2-sslstring/imap/imapd-ssl.dist.in 2009-08-12 16:28:52.0 +0200
@@ -147,7 +147,7 @@
#
# OpenSSL:
#
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
#
# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
#
diff -Naur courier-0.62.2/imap/pop3d-ssl.dist.in courier-0.62.2-sslstring/imap/pop3d-ssl.dist.in
--- courier-0.62.2/imap/pop3d-ssl.dist.in 2008-07-12 22:17:25.0 +0200
+++ courier-0.62.2-sslstring/imap/pop3d-ssl.dist.in 2009-08-12 16:28:52.0 +0200
@@ -134,7 +134,7 @@
#
# OpenSSL:
#
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength"
#
# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
#
diff -Naur courier-0.62.2/tcpd/libcouriertls.c courier-0.62.2-sslstring/tcpd/libcouriertls.c
--- courier-0.62.2/tcpd/libcouriertls.c 2009-06-27 18:32:50.0 +0200
+++ courier-0.62.2-sslstring/tcpd/libcouriertls.c 2009-08-12 16:28:52.0 +0200
@@ -567,7 +567,7 @@
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!ssl_cipher_list)
- ssl_cipher_list="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength";
+ ssl_cipher_list="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength";
SSL_CTX_set_cipher_list(ctx, ssl_cipher_list);
SSL_CTX_set_timeout(ctx, session_timeout);
diff -Naur courier-0.62.2/courier/courierd.dist.in courier-0.62.2-sslstring/courier/courierd.dist.in
--- courier-0.62.2/courier/courierd.dist.in 2008-07-13 16:54:48.0 +0200
+++ courier-0.62.2-sslstring/courier/courierd.dist.in 2009-08-12 16:29:57.0 +0200
@@ -269,7 +269,7 @@
#
# OpenSSL:
#
-# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength"
+# TLS_CIP