james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <server-...@james.apache.org>
Subject [jira] Created: (JAMES-385) Allow to prevent weak ciphers when using "useTLS"
Date Sat, 16 Jul 2005 08:29:10 GMT
Allow to prevent weak ciphers when using "useTLS"
-------------------------------------------------

         Key: JAMES-385
         URL: http://issues.apache.org/jira/browse/JAMES-385
     Project: James
        Type: Bug
    Versions: 2.2.0    
 Environment: Linux, jdk 1.4
    Reporter: Ralf Hauser
    Priority: Critical


http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain
how to setup a pop3s etc. describe how to secure a client connection to James.

   openssl s_client -connect pops.mydom.com:995 -cipher EXPORT

illustrates that this is possible with james.

One might argue that a decent client will never ask the server to negotiate a weak cipher.
But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered
cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack
the account.

Please amend the documentation how prevent this from happening by forcing james to only negotiate
sessions with 128+ bit session key strength

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message