[Dovecot] SSL renegotiation vulnerability (Was: dovecot evaluation on a 30 gb mailbox)
tss at iki.fi
Tue Oct 25 21:13:09 EEST 2011
On 25.10.2011, at 14.38, Steinar Bang wrote:
>>>>>> Timo Sirainen <tss at iki.fi>:
>> Yes, SSL handshakes are extra. Although SSL supports some kind of
>> quick renegotiation too, but Dovecot doesn't support that yet. No
>> one's ever requested it..
Looks like it's not "renegotiation" but more like session resume/resumption/cache or something that I was thinking about.
> Hum... this article (in Norwegian)
> addresses the SSL renegotiation vulnerability, and how it can be used to
> DOS servers using SSL from a single machine with low bandwidth.
> At the end the article is discussing how to configure off the SSL
> renegotiate in different servers, and that the author had been unable to
> find a setting for disabling SSL renegotiate in dovecot (and if anyone
> knows how, please inform him).
> Could the reason he hasn't found such a setting be that SSL renegotiate
> isn't supported at all in dovecot...?
Looking at the OpenSSL code, I don't see any way to disable it. Or possibly with some undocumented kludgy way, but I don't really know enough about OpenSSL to implement it.
Anyway, I'd think fail2ban should mostly solve this problem.
More information about the dovecot