On 2022-05-13 5:02 pm, Greg Earle wrote:
Hello,
At work I'm running a Dovecot 2.3.15 server on a RHEL 7.9 system with
OpenSSL 1.0.2k.
Our IT Security people are threatening to shut it down because of this:
We were notified of a possible TLS renegotiation vulnerability on
[FQHN].
[Parent organization] ticket NNNNNNN is open to track efforts.
We conducted a manual test on the site for TLS Renegotiation on IMAP
port 993.
We found that this was set to enabled.
In order to remediate we will need to either:
1. Disable Renegotiation (preferred)
2. Set a max aggregated renegotiation
Please remediate as soon as possible.
References:
https://support.f5.com/csp/article/K15278
https://nvd.nist.gov/vuln/detail/cve-2011-1473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
I did some Googling and among the results, I found a few old posts from
this mailing list among them, which to summarize basically seemed to
say "Yeah, we could write some code ... " but that was about it.
The IT Security rep sent me a reference to an ancient Red Hat article
https://access.redhat.com/articles/23543
which is hysterical - ancient history, references NSS and Tomcat,
suggests changes to an add-on product (Red Hat Certificate Server) that
is EOL, etc.
Is there any way to mitigate this issue?
(The only thing I can think of is to upgrade the Dovecot server to RHEL
8 and restrict connections to only TLSv1.3, but that ain't gonna happen
overnight.)
Thanks,
- Greg
Greg,
I believe this to be a configuration error, not a dovecot problem. The
output of dovecot -n (as an attachment; look it over for any data you do
not want publicized) would help to suggest changes to bring you back
into compliance.
Regards,
Elisamuel Resto
