[Dovecot] IMAP and POP3 per SSL

Lamprecht, Andreas andreas.a.lamprecht at atos.net
Tue Mar 20 13:16:33 EET 2012


Hi!
 
I'm new to this list and i could not find a way to search through the already posted articles, so please forgive me if this subject has been discussed before.
 
Our security scanner stumbled over the IMAPs server i've set up recently using dovecot on a RedHat Enterprise 64bit Server.
The security scanner found an error regarding a new SSL security leak named "BEAST". The exact error number is CVE-2011-3389. Details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389

"The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set

  SSLHonorCipherOrder On

in apache config. This results in the following C-Code being executed:

        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is not affected by that BEAST security leak.

Is there a way to implement such a setting into Dovecot, too?

I have created a very quick and dirty solution to avoid being listed on our internal security problem's list.
This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux 6.2:

*** src/login-common/ssl-proxy-openssl.c        2010-12-30 10:42:54.000000000 +0100
--- src/login-common/ssl-proxy-openssl.c_1      2012-03-20 09:48:28.359508087 +0100
***************
*** 924,930 ****
        X509_STORE *store;
        STACK_OF(X509_NAME) *xnames = NULL;

!       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
        if (*set->ssl_ca != '\0') {
                /* set trusted CA certs */
                store = SSL_CTX_get_cert_store(ssl_ctx);
--- 924,930 ----
        X509_STORE *store;
        STACK_OF(X509_NAME) *xnames = NULL;

!       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE );
        if (*set->ssl_ca != '\0') {
                /* set trusted CA certs */
                store = SSL_CTX_get_cert_store(ssl_ctx);


Of course there should be a way to switch this setting on or off, but my C programming skills are rather basic ...

So, maybe you have the time to look over it and implement a final solution for the BEAST problem.

Greetings
Andreas lamprecht




More information about the dovecot mailing list