[ http://issues.apache.org/jira/browse/JAMES-385?page=all ]
Stefano Bagnara updated JAMES-385:
----------------------------------
Component: SMTPServer
> Allow to prevent weak ciphers when using "useTLS"
> -------------------------------------------------
>
> Key: JAMES-385
> URL: http://issues.apache.org/jira/browse/JAMES-385
> Project: James
> Type: Bug
> Components: SMTPServer
> Versions: 2.2.0
> Environment: Linux, jdk 1.4
> Reporter: Ralf Hauser
> Priority: Critical
> Attachments: Cornerstone.patch.zip
>
> http://james.apache.org/usingTLS_2_1.html and
> http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc.
> describe how to secure a client connection to James.
> openssl s_client -connect pops.mydom.com:995 -cipher EXPORT
> illustrates that this is possible with james.
> One might argue that a decent client will never ask the server to negotiate a
> weak cipher. But an attacker (man-in-the-middle) could remove stronger
> ciphers from the client's offered cipher list, and then break the weak cipher
> and e.g. obtain the user password to later hijack the account.
> Please amend the documentation how prevent this from happening by forcing
> james to only negotiate sessions with 128+ bit session key strength
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
