D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Disabling SSLv3 everywhere

 

On Wed, Oct 15, 2014 at 07:09:40AM +0100, Tom wrote:
> On 15/10/14 02:24, Simon Waters wrote:
> >Okay, Google they say we should lose SSLv3 ASAP.
> >
> >So far everything everywhere has gone to TLSv1 or better except...
> >
> >I have dovecot on Squeeze, and as soon as I disable SSLv3 it says it
> >can't get a cipher list together.
> >
> >I have stunnel working with TLSv1, so I can use than for POP3S and
> >IMAP4S, but should dovecot in Squeeze work with TLSv1.
> >
> >I can't decipher the complexities of the build, but my suspicion is
> >"no". Which is a blow for Squeeze support (okay I should have upgraded
> >by now).
> >
> Probably not relevant but just to scare you there are reports of
> SSLv3 having a huge hole which is to be fixed soon!

Unless I'm missing a joke or something (it's early...), this is what
Simon is referring to, isn't it? Details here:

https://www.openssl.org/~bodo/ssl-poodle.pdf

And yes, it does look nasty.

I do think attacking IMAP/POP3 is pretty difficult though, thus making
the issue a lot less urgent than on web browsers and servers.

Martijn.


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq