[Dovecot] SSL renegotiation vulnerability (Was: dovecot evaluation on a 30 gb mailbox)

Steinar Bang sb at dod.no
Tue Oct 25 14:38:07 EEST 2011


>>>>> Timo Sirainen <tss at iki.fi>:

> Yes, SSL handshakes are extra. Although SSL supports some kind of
> quick renegotiation too, but Dovecot doesn't support that yet. No
> one's ever requested it..

Hum... this article (in Norwegian)
 http://www.digi.no/881186/skrekkverktoy-slaar-ut-%ABsikre%BB-servere
addresses the SSL renegotiation vulnerability, and how it can be used to
DOS servers using SSL from a single machine with low bandwidth.

At the end the article is discussing how to configure off the SSL
renegotiate in different servers, and that the author had been unable to
find a setting for disabling SSL renegotiate in dovecot (and if anyone
knows how, please inform him).

Could the reason he hasn't found such a setting be that SSL renegotiate
isn't supported at all in dovecot...?

Thanks!


- Steinar



More information about the dovecot mailing list