Bug 40810 - Disable SSLv2 and SSLv3 in Cyrus IMAPD (3.2)
Disable SSLv2 and SSLv3 in Cyrus IMAPD (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-8-errata
Assigned To: Daniel Tröder
Felix Botner
:
Depends on:
Blocks: 41378
  Show dependency treegraph
 
Reported: 2016-03-01 15:51 CET by Michael Grandjean
Modified: 2016-09-27 12:34 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Untested patch - new defaults are from Debian Jessie (668 bytes, patch)
2016-03-01 16:07 CET, Michael Grandjean
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2016-03-01 15:51:23 CET
Cyrus still supports SSLv3 and even SSLv2 in our default configuration:

> tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

This makes UCS 3.2 (and older) vulnerable to the DROWN attack: https://drownattack.com/

UCS 4.0 and 4.1 don't offer SSLv2 anymore, but still SSLv3, which is also considered "not sufficiently secure" -> https://datatracker.ietf.org/doc/rfc7568/
Comment 1 Michael Grandjean univentionstaff 2016-03-01 16:07:58 CET
Created attachment 7508 [details]
Untested patch - new defaults are from Debian Jessie
Comment 2 Michael Grandjean univentionstaff 2016-03-01 16:12:11 CET
The patch misses cipher suites for TLS 1.2. Those should be added for UCS 4.x.

Cyrus 2.4 also knows an option to enable/disable TLS/SSL protocols, not only cipher suites:

> tls_versions: tls1_0 tls1_1 tls1_2
Comment 3 Michael Grandjean univentionstaff 2016-03-01 16:21:50 CET
Just to clarify:

UCS 4.x does not offer SSLv2 anymore because of the newer OpenSSL version. The cipher settings in the cyrus configuration are the same for UCS 3.x and UCS 4.x
Comment 4 Arvid Requate univentionstaff 2016-03-01 17:13:00 CET
See also Bug 40189 Comment #2 and the attached mitigation patch for CVE-2016-0800
Comment 5 Daniel Tröder univentionstaff 2016-03-04 10:31:58 CET
SSLv3 cannot be disabled in Cyrus without disabling TLSv1. But from what I have read, there are still no PoC for POODLE with IMAPS, only with HTTPS.

So despite the title and the commit message, this patch actually only disables SSLv2.

A test 09_imap_ssl_versions was added to ucs-test-mail, which checks for en/disabled ciphers, depending on the UCRV.

Test: r67894
Code: r67895
Advisory: r67896
Comment 6 Felix Botner univentionstaff 2016-04-20 14:32:51 CEST
The test 09_imap_ssl_versions fails on my 3.2-8 system. Despite mail/cyrus/ssl/cipher_list='TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH' ssl2 does not work


more /etc/imapd/imapd.conf | grep cipher
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

-> echo "A LOGOUT" | openssl s_client -connect master.three.two:993 -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -quiet -ssl2
8426:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:427:

-> echo "A LOGOUT" | openssl s_client -connect master.three.two:993 -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -quiet -ssl3
depth=1 /C=DE/ST=DE/L=DE/O=hom/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=3he3gbCe)/emailAddress=ssl@three.two
verify return:1
depth=0 /C=DE/ST=DE/L=DE/O=hom/OU=Univention Corporate Server/CN=master.three.two/emailAddress=ssl@three.two
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN SASL-IR] master Cyrus IMAP v2.4.9-Debian-2.4.9-1.27.201308091604 server ready
* BYE LOGOUT received
A OK Completed
read:errno=0
Comment 7 Daniel Tröder univentionstaff 2016-04-20 17:52:45 CEST
09_imap_ssl_versions was adapted to the disabling of SSLv2 in errata410.
ucs-test 4.0.215-14 was build in ucs_3.2-0-errata3.2-8
Comment 8 Daniel Tröder univentionstaff 2016-04-20 17:54:12 CEST
PS: r68841
(also not testing for tls3 anymore :D
Comment 9 Felix Botner univentionstaff 2016-04-21 09:51:47 CEST
OK - default changed to TLSv1+HIGH:!aNULL:@STRENGTH
OK - mail/cyrus/ssl/cipher_list
OK - 09_imap_ssl_versions

OK - univention-mail-cyrus.yaml
Comment 10 Janek Walkenhorst univentionstaff 2016-04-27 17:11:04 CEST
<http://errata.software-univention.de/ucs/3.2/423.html>