On 2014-04-16 10:30, Arnt Gulbrandsen wrote:
I changed the cipher suite to enable PFS last August and tested that
it worked (ie. I got PFS). I can't tell what the problem is now and
haven't the time to check today.
Stunnel is not a particularly good answer in my opinion; the passwords
would be visible anyway. Openssl can reveal anything in its memory
blah, including cleartext it has received or sent. When an application
receives "login arnt tnra" from openssl, openssl has just decrypted
those those fifteen bytes and stored them in the kind of memory
structure heartbleed can read.
In case of aox, heartbleed makes anything vulnerable that's sent to or
read from any SSL-encrypted connection.
Stunnel, however, gives you full control over your cipher suites.
There's a long gap in time between Aox 3.1.3 and 3.2.0, which means for
nearly 4 years end users had no control over this. I certainly agree
that stunnel is not going to magically make all your security problems
go away, but in certain cases it can help to shrink the scope of the
damage possible (though possibly not very much for an IMAP server)
The article I was referring to is below
http://www.daemonology.net/blog/2009-09-28-securing-https.html
