[Dovecot] SSL renegotiation vulnerability (Was: dovecot evaluation on a 30 gb mailbox)
sb at dod.no
Tue Oct 25 14:38:07 EEST 2011
>>>>> Timo Sirainen <tss at iki.fi>:
> Yes, SSL handshakes are extra. Although SSL supports some kind of
> quick renegotiation too, but Dovecot doesn't support that yet. No
> one's ever requested it..
Hum... this article (in Norwegian)
addresses the SSL renegotiation vulnerability, and how it can be used to
DOS servers using SSL from a single machine with low bandwidth.
At the end the article is discussing how to configure off the SSL
renegotiate in different servers, and that the author had been unable to
find a setting for disabling SSL renegotiate in dovecot (and if anyone
knows how, please inform him).
Could the reason he hasn't found such a setting be that SSL renegotiate
isn't supported at all in dovecot...?
More information about the dovecot