Allow to prevent weak ciphers when using "useTLS"
-------------------------------------------------
Key: JAMES-385
URL: http://issues.apache.org/jira/browse/JAMES-385
Project: James
Type: Bug
Versions: 2.2.0
Environment: Linux, jdk 1.4
Reporter: Ralf Hauser
Priority: Critical
http://james.apache.org/usingTLS_2_1.html and
http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc.
describe how to secure a client connection to James.
openssl s_client -connect pops.mydom.com:995 -cipher EXPORT
illustrates that this is possible with james.
One might argue that a decent client will never ask the server to negotiate a
weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers
from the client's offered cipher list, and then break the weak cipher and e.g.
obtain the user password to later hijack the account.
Please amend the documentation how prevent this from happening by forcing james
to only negotiate sessions with 128+ bit session key strength
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
