For over 6 months now, PCI scanners have been failing us for being vulnerable (via Qmail and Courier IMAP only --> other daemons ok) with regards to the following issue...
SSL renegotiation DoS CVE-2011-1473 which is very similar to CVE-2011-5094. Both of these also say they're *DISPUTED* and a note on each reads: "It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment."
Okay. I've checked the documentation for both Qmail and Courier IMAP but didn't see anything regarding configuration of SSL renegotiation. I think Courier uses SSL/TLS for security and Qmail fires up STARTTLS but, other than that, I've got NO idea how to alter/patch either one, much less have it all playing nice with Plesk. It seems like OpenSSL should play a role here somewhere too (perhaps those other daemons use it?) but it's high time I reach out for more clues.
Please note: this is NOT the same as the BEAST attack / CVE-2011-3389. That one has been addressed by updated ciphers, tweaking httpd.conf, etc. as seen in the basic Plesk PCI Compliance Guide/Tool.
ANY ideas or advice greatly appreciated!
Should I consider Postifix?
SSL renegotiation DoS CVE-2011-1473 which is very similar to CVE-2011-5094. Both of these also say they're *DISPUTED* and a note on each reads: "It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment."
Okay. I've checked the documentation for both Qmail and Courier IMAP but didn't see anything regarding configuration of SSL renegotiation. I think Courier uses SSL/TLS for security and Qmail fires up STARTTLS but, other than that, I've got NO idea how to alter/patch either one, much less have it all playing nice with Plesk. It seems like OpenSSL should play a role here somewhere too (perhaps those other daemons use it?) but it's high time I reach out for more clues.
Please note: this is NOT the same as the BEAST attack / CVE-2011-3389. That one has been addressed by updated ciphers, tweaking httpd.conf, etc. as seen in the basic Plesk PCI Compliance Guide/Tool.
ANY ideas or advice greatly appreciated!
Should I consider Postifix?