cyrus default config includes insecure SSLv2
Bug #904875 reported by
ScottMiller
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cyrus-imapd-2.2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The default cipher list for cyrus includes SSLv2 enabled which is considered to be a security vulnerability.
To disable SSLv2,
Edit /etc/imapd.conf
alter:
tls_cipher_list: TLSv1:SSLv3:
to:
tls_cipher_list: TLSv1:SSLv3:
Can this package be updated to disable SSLv2 by default? Regards,
visibility: | private → public |
Changed in cyrus-imapd-2.2 (Ubuntu): | |
status: | Invalid → New |
To post a comment you must log in.
Thanks for using Ubuntu and reporting a bug. cyrus-imapd-2.2 is compiled to use openssl, but openssl in Ubuntu uses the no-ssl2 configure option, so even though the cipher list reports these, they should not work. While it would be less confusing to adjust cyrus-imapd-2.2 to not report this, this is not a change we would want to carry in Ubuntu without it also bing in Debian. I am going to close this bug as "Invalid" since cyrus should not actually use sslv2. If this is in error, please feel free to reopen the bug. If you feel strongly that this should be fixed, please file a bug with Debian and Ubuntu will get the change automatically as part of our development process. Thanks again!