From: Lawrence Greenfield (leg plus at andrew dot cmu dot edu)
Date: Mon Dec 03 2001 - 18:56:45 EST
Date: Mon, 03 Dec 2001 15:16:16 -0800
From: David Wright <>
A while back I wrote to the list asking about how by specify the
SSL/TLS cipher algorithms that cyrus imapd should accept (by
analogy with the SSLCipherSuite directive from Apache's mod_ssl). I
didn't receive a reply (which is fine) so now I want to verify: is
it true that there is no way to specify which cipher algorithms
cyrus imapd should accept?
That's correct.
I think this should be considered a rather large security hole. I
believe OpenSSL will even negotiate down to the NULL cipher
(i.e. no encryption) if a client claims that is all it will
accept.
Cyrus IMAP queries for the "strength" of the algorithm negotiated and
factors that in when considering what SASL mechanisms to offer.
Setting "sasl_minimum_layer" to a suitably high number should defend
against attacks when the client attempts to use AUTHENTICATE.
If the client attempts to use the LOGIN command it looks like the IMAP
server will accept the null cipher as sufficient even if the
administrator specified "allowplaintext: false". I agree that this is
a problem.
Larry
|
|
|