oss-sec mailing list archives
perdition: ssl_outgoing_ciphers not applied to STARTTLS connections
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 13 Nov 2013 02:21:57 -0500
Perdition, the IMAP and POP proxy server, fails to apply the administrator's specified ciphersuite preferences when making outbound connections to IMAP and POP servers using STARTTLS. For these outbound connections, it applies the administrator's listening ciphersuite preferences, which in many cases may be significantly weaker. This was first noted publicly on the debian BTS: http://bugs.debian.org/729028 All versions of perdition up to 2.0 appear to be affected, and the fix is a one-line patch. This is not a critical vulnerability (it can be mitigated, for example, by enforcing a strict minimalist ciphersuite on the backend server), but in the absence of any such mitigation, it may cause the connections between the proxy server and the backend server to negotiate a weaker ciphersuite than the administrator's stated intent. Could a CVE be issued for this issue? Thanks, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- perdition: ssl_outgoing_ciphers not applied to STARTTLS connections Daniel Kahn Gillmor (Nov 12)
- Re: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections Kurt Seifried (Nov 14)