oss-sec mailing list archives

Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol

From: dave b <db.pub.mail () gmail com>
Date: Fri, 24 Dec 2010 01:54:09 +1100

 II), Allows SSLv2 protocol

 Description:
 In commit:
 [4]
https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a

 when SSL server certificate validation support was added
 to OfflineIMAP it was still possible to use SSL v2 protocol
 version. Version 2 of SSL protocol version is known
 to be prone to multiple deficiencies, each of them
 having security implications (to mention some of them):
 [5] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security

 Thus SSLv2 protocol version should be disabled in OfflineIMAP.


As I understand it this is only an issue if the openssl installed on
the system has sslv2 enabled. So those using openssl 1.0 and above
would not be subject to the second bug.

--
I do desire we may be better strangers.         -- William Shakespeare, "As
You Like It"

Current thread:

CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Jan Lieskovsky (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol dave b (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol John Goerzen (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Nicolas Sebrecht (Dec 23)
  - Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Johannes Stezenbach (Dec 23)