james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <server-...@james.apache.org>
Subject [jira] Commented: (JAMES-385) Allow to prevent weak ciphers when using "useTLS"
Date Thu, 21 Jul 2005 08:12:48 GMT
    [ http://issues.apache.org/jira/browse/JAMES-385?page=comments#action_12316328 ] 

Ralf Hauser commented on JAMES-385:
-----------------------------------

Until this is fixed in James (avalon/cornerstone,...), is there a possiblity to configure
this globally on a JVM/JRE-wide scale as a work-around (http://forum.java.sun.com/thread.jspa?threadID=646006)?

If you are going to fix this, allow to use the cipher-groupings of openssl in a fail-safe
way (http://issues.apache.org/bugzilla/show_bug.cgi?id=35765).

> Allow to prevent weak ciphers when using "useTLS"
> -------------------------------------------------
>
>          Key: JAMES-385
>          URL: http://issues.apache.org/jira/browse/JAMES-385
>      Project: James
>         Type: Bug
>     Versions: 2.2.0
>  Environment: Linux, jdk 1.4
>     Reporter: Ralf Hauser
>     Priority: Critical

>
> http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain
how to setup a pop3s etc. describe how to secure a client connection to James.
>    openssl s_client -connect pops.mydom.com:995 -cipher EXPORT
> illustrates that this is possible with james.
> One might argue that a decent client will never ask the server to negotiate a weak cipher.
But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered
cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack
the account.
> Please amend the documentation how prevent this from happening by forcing james to only
negotiate sessions with 128+ bit session key strength

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message