Univention Bugzilla – Bug 41378
Disable SSLv2 and SSLv3 in Cyrus IMAPD (3.3)
Last modified: 2016-10-27 17:56:14 CEST
Not fixed yet in UCS 3.3 +++ This bug was initially created as a clone of Bug #40810 +++ Cyrus still supports SSLv3 and even SSLv2 in our default configuration: > tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH This makes UCS 3.2 (and older) vulnerable to the DROWN attack: https://drownattack.com/ UCS 4.0 and 4.1 don't offer SSLv2 anymore, but still SSLv3, which is also considered "not sufficiently secure" -> https://datatracker.ietf.org/doc/rfc7568/
merged changes from 3.2-8 to errata3.3-0 ucs-3.3/ucs-3.3-0/mail/univention-mail-cyrus: r73368 ucs-3.3-0/doc/errata/staging/univention-mail-cyrus.yaml
OK: code merge OK: manual test (echo "A LOGOUT" | openssl s_client -connect...) OK: automatic test (40_mail/09_imap_ssl_versions) OK: advisory SSLv3 cannot be disabled in Cyrus without also disabling TLSv1 :/
<http://errata.software-univention.de/ucs/3.3/20.html>