Date: Mon, 03 Dec 2001 15:16:16 -0800 From: David Wright <[EMAIL PROTECTED]>
A while back I wrote to the list asking about how by specify the SSL/TLS cipher algorithms that cyrus imapd should accept (by analogy with the SSLCipherSuite directive from Apache's mod_ssl). I didn't receive a reply (which is fine) so now I want to verify: is it true that there is no way to specify which cipher algorithms cyrus imapd should accept? That's correct. I think this should be considered a rather large security hole. I believe OpenSSL will even negotiate down to the NULL cipher (i.e. no encryption) if a client claims that is all it will accept. Cyrus IMAP queries for the "strength" of the algorithm negotiated and factors that in when considering what SASL mechanisms to offer. Setting "sasl_minimum_layer" to a suitably high number should defend against attacks when the client attempts to use AUTHENTICATE. If the client attempts to use the LOGIN command it looks like the IMAP server will accept the null cipher as sufficient even if the administrator specified "allowplaintext: false". I agree that this is a problem. Larry
