james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ioan Eugen Stan (JIRA)" <server-...@james.apache.org>
Subject [jira] [Updated] (JAMES-385) Allow to prevent weak ciphers when using "useTLS"
Date Sun, 17 Mar 2013 12:37:14 GMT

     [ https://issues.apache.org/jira/browse/JAMES-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Ioan Eugen Stan updated JAMES-385:

    Fix Version/s: Trunk
> Allow to prevent weak ciphers when using "useTLS"
> -------------------------------------------------
>                 Key: JAMES-385
>                 URL: https://issues.apache.org/jira/browse/JAMES-385
>             Project: James Server
>          Issue Type: Bug
>          Components: SMTPServer
>    Affects Versions: 2.2.0, 2.3.0, 2.3.1, 2.3.2, 3.0-M1, 3.0-M2
>         Environment: Linux, jdk 1.4
>            Reporter: Ralf Hauser
>            Assignee: Eric Charles
>            Priority: Critical
>             Fix For: Trunk, 3.0-beta3
>         Attachments: Cornerstone.patch.zip
> http://james.apache.org/usingTLS_2_1.html and http://wiki.apache.org/james/UsingSSL explain
how to setup a pop3s etc. describe how to secure a client connection to James.
>    openssl s_client -connect pops.mydom.com:995 -cipher EXPORT
> illustrates that this is possible with james.
> One might argue that a decent client will never ask the server to negotiate a weak cipher.
But an attacker (man-in-the-middle) could remove stronger ciphers from the client's offered
cipher list, and then break the weak cipher and e.g. obtain the user password to later hijack
the account.
> Please amend the documentation how prevent this from happening by forcing james to only
negotiate sessions with 128+ bit session key strength

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message