You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Norman Maurer (JIRA)" <se...@james.apache.org> on 2010/11/16 12:39:14 UTC
[jira] Resolved: (JAMES-385) Allow to prevent weak ciphers when
using "useTLS"
[ https://issues.apache.org/jira/browse/JAMES-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Norman Maurer resolved JAMES-385.
---------------------------------
Resolution: Fixed
Assignee: Norman Maurer
done
> Allow to prevent weak ciphers when using "useTLS"
> -------------------------------------------------
>
> Key: JAMES-385
> URL: https://issues.apache.org/jira/browse/JAMES-385
> Project: JAMES Server
> Issue Type: Bug
> Components: SMTPServer
> Affects Versions: 2.2.0, 2.3.0, 2.3.1, 2.3.2, 3.0-M1, 3.0-M2
> Environment: Linux, jdk 1.4
> Reporter: Ralf Hauser
> Assignee: Norman Maurer
> Priority: Critical
> Fix For: 3.0-M3
>
> Attachments: Cornerstone.patch.zip
>
>
> http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain how to setup a pop3s etc. describe how to secure a client connection to James.
> openssl s_client -connect pops.mydom.com:995 -cipher EXPORT
> illustrates that this is possible with james.
> One might argue that a decent client will never ask the server to negotiate a weak cipher. But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack the account.
> Please amend the documentation how prevent this from happening by forcing james to only negotiate sessions with 128+ bit session key strength
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org