Univention Bugzilla – Full Text Bug Listing |
Summary: | Disable SSLv2 and SSLv3 in Cyrus IMAPD (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | Assignee: | Daniel Tröder <troeder> | |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | birkefeld, gohmann, requate, schwardt, troeder, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-8-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 41378 | ||
Attachments: | Untested patch - new defaults are from Debian Jessie |
Description
Michael Grandjean
2016-03-01 15:51:23 CET
Created attachment 7508 [details]
Untested patch - new defaults are from Debian Jessie
The patch misses cipher suites for TLS 1.2. Those should be added for UCS 4.x.
Cyrus 2.4 also knows an option to enable/disable TLS/SSL protocols, not only cipher suites:
> tls_versions: tls1_0 tls1_1 tls1_2
Just to clarify: UCS 4.x does not offer SSLv2 anymore because of the newer OpenSSL version. The cipher settings in the cyrus configuration are the same for UCS 3.x and UCS 4.x See also Bug 40189 Comment #2 and the attached mitigation patch for CVE-2016-0800 SSLv3 cannot be disabled in Cyrus without disabling TLSv1. But from what I have read, there are still no PoC for POODLE with IMAPS, only with HTTPS. So despite the title and the commit message, this patch actually only disables SSLv2. A test 09_imap_ssl_versions was added to ucs-test-mail, which checks for en/disabled ciphers, depending on the UCRV. Test: r67894 Code: r67895 Advisory: r67896 The test 09_imap_ssl_versions fails on my 3.2-8 system. Despite mail/cyrus/ssl/cipher_list='TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH' ssl2 does not work more /etc/imapd/imapd.conf | grep cipher tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH -> echo "A LOGOUT" | openssl s_client -connect master.three.two:993 -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -quiet -ssl2 8426:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:427: -> echo "A LOGOUT" | openssl s_client -connect master.three.two:993 -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -quiet -ssl3 depth=1 /C=DE/ST=DE/L=DE/O=hom/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=3he3gbCe)/emailAddress=ssl@three.two verify return:1 depth=0 /C=DE/ST=DE/L=DE/O=hom/OU=Univention Corporate Server/CN=master.three.two/emailAddress=ssl@three.two verify return:1 * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN SASL-IR] master Cyrus IMAP v2.4.9-Debian-2.4.9-1.27.201308091604 server ready * BYE LOGOUT received A OK Completed read:errno=0 09_imap_ssl_versions was adapted to the disabling of SSLv2 in errata410. ucs-test 4.0.215-14 was build in ucs_3.2-0-errata3.2-8 PS: r68841 (also not testing for tls3 anymore :D OK - default changed to TLSv1+HIGH:!aNULL:@STRENGTH OK - mail/cyrus/ssl/cipher_list OK - 09_imap_ssl_versions OK - univention-mail-cyrus.yaml |