[Imap-uw] Disable SSL v2
Mark Crispin
mrc at CAC.Washington.EDU
Fri Jul 1 07:13:14 PDT 2005
On Thu, 30 Jun 2005, Andrew Voltmer wrote:
> I am looking for a solution to a security issue related to the WU-IMAP
> server. I have a security scanning tool that is reporting that my imapd
> daemon is doing SSL v2 over 993 on my IMAP server. It suggests that I need to
> disable SSL v2 to prevent any issues related to SSL v2 vulnerabilites. I know
> this was a major issue with Apache and ISS servers that did SSL v2 support so
> I assume it may also be an issue in an IMAP environment. Does anyone know a
> way to disable SSL v2 support in the WU-IMAP server? Thanks.
I don't know what these "issues related to SSL v2 vulnerabilities" are;
thus I can not comment intelligently on whether or not it affects IMAP in
any way. Are you building UW (not WU) imapd with the latest version of
OpenSSL?
SSL IMAP on port 993 is defined to use the SSLv23 method, and the STARTTLS
command on port 143 is defined to use the TLSv1 method. Changing to some
other method can break interoperability between clients and servers.
There have been interoperability problems with clients that incorrectly
chose SSLv23 instead of TLSv1 when doing TLS on port 143.
If you really need to disable SSL v2, then it may be that the best thing
is simply to disable port 993 service and require that everybody use port
143 and STARTTLS. This has the additional desirable side effect of
breaking clients that do SSL but not TLS, thus forcing your users to use
good TLS-capable IMAP clients such as Pine. :-)
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
More information about the Imap-uw
mailing list