james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Odam <phillip.o...@nitorgroup.com>
Subject supportedCipherSuites not working for startTLS
Date Tue, 11 Dec 2012 17:24:48 GMT
Setting the supported cipher suites when startTLS is enabled is not 
limiting the available ciphers since the instantiation of the Encryption 
object always sets the member enabledCipherSuites to null.


Demonstrate issue:

Add the following to the tls tag in conf/smtpserver.conf

<supportedCipherSuites>
   <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
</supportedCipherSuites>

With the change active, attempting to connect to the server with the 
following command will succeed (with a weaker cipher)

openssl s_client -connect mail.server.tld:25 -crlf -starttls smtp 
-cipher LOW


Patch:

--- 
current/protocols/api/src/main/java/org/apache/james/protocols/api/Encryption.java 
(revision 1420267)
+++ 
current/protocols/api/src/main/java/org/apache/james/protocols/api/Encryption.java 
2012-12-11 11:41:45.000000000 -0500
@@ -73,7 +73,7 @@
       * @return enc
       */
      public static Encryption createStartTls(SSLContext context, 
String[] enabledCipherSuites) {
-        return new Encryption(context, true, null);
+        return new Encryption(context, true, enabledCipherSuites);
      }

      /**

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message