Setting the supported cipher suites when startTLS is enabled is not
limiting the available ciphers since the instantiation of the Encryption
object always sets the member enabledCipherSuites to null.
Demonstrate issue:
Add the following to the tls tag in conf/smtpserver.conf
<supportedCipherSuites>
<cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
</supportedCipherSuites>
With the change active, attempting to connect to the server with the
following command will succeed (with a weaker cipher)
openssl s_client -connect mail.server.tld:25 -crlf -starttls smtp
-cipher LOW
Patch:
---
current/protocols/api/src/main/java/org/apache/james/protocols/api/Encryption.java
(revision 1420267)
+++
current/protocols/api/src/main/java/org/apache/james/protocols/api/Encryption.java
2012-12-11 11:41:45.000000000 -0500
@@ -73,7 +73,7 @@
* @return enc
*/
public static Encryption createStartTls(SSLContext context,
String[] enabledCipherSuites) {
- return new Encryption(context, true, null);
+ return new Encryption(context, true, enabledCipherSuites);
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
