A lot of projects(1) are analyzing how their specific protocol may
be specifically vulnerable due to the recently release TLS/SSL
protocol-level vulnerability(2) involving client re-negotiations.
With couriertcpd(8), does the SSL wrapper present the same
limitation for cleartext protocols like SMTP and IMAP?
Does the client or server SMTP code utilize renegotiations? I
would think not.
My understanding would be that, with SSL certificate exchange, other
than validating the identity of a client/server connection against
global PKI (Trusted CAs for signed mail server certificates), at
no point during a single SMTP or IMAP transaction would a new
certificate be presented for additional security credentials.
Of course, that doesn't mean the session cannot be hijacked for
data injection (Bypassing a relay restriction in ESTMPD, for
example)
SQWebmail sessions could be taken over, as well, I suppose.
FreeBSD has disabled renegotiation support at the library-level for the
in-tree OpenSSL. Apache has disabled renegotiation in the daemon code.
I'm curious what our approach will be.
1. OpenLDAP:
http://www.openldap.org/lists/ietf-ldapext/200911/msg00000.html
2. http://extendedsubset.com/?p=8
Thanks, ~BAS
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
courier-users mailing list
courie...@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
> All:
>
> A lot of projects(1) are analyzing how their specific protocol may
> be specifically vulnerable due to the recently release TLS/SSL
> protocol-level vulnerability(2) involving client re-negotiations.
>
> With couriertcpd(8), does the SSL wrapper present the same
> limitation for cleartext protocols like SMTP and IMAP?
>
> Does the client or server SMTP code utilize renegotiations? I
> would think not.
No. There is no support for renegotiation in the client or the server. The
client never requests a renegotiation. The server ignores renegotiation
requests, and never does a handshake after the connection is established.
Not actually quite sure what happens if the server gets a renegotation
request and ignores it. Either the session continues as is, or it breaks
with an error.