Bug 194699 - no way to disable weak ciphers in mail/imap-uw
Summary: no way to disable weak ciphers in mail/imap-uw
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2014-10-30 04:50 UTC by Leif Velcro
Modified: 2018-01-11 18:43 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Leif Velcro 2014-10-30 04:50:43 UTC
There is currently no way to configure the list of used ciphers in mail/imap-uw.

As I understand it, the relevant line is located in c-client/ssl_unix.c and is hard-coded to be somewhat insecure:

#define SSLCIPHERLIST "ALL:!LOW"

If we could provide our own value for SSLCIPHERLIST at compile time, that would solve the issue.

security/openssl allows you to disable SSLv2 and SSLv3 with options used at compile time, but not all ports currently function without SSLv2 and SSLv3 support enabled, so you can't solve this problem using that trick either.
Comment 1 John Marino freebsd_committer 2014-11-01 08:37:35 UTC
FYI, this port is unmaintained and there's no provided patch so the chances of something happening are not great unless you improve your chances (e.g. provide a tested patch)
Comment 2 John Marino freebsd_committer 2014-11-14 10:46:29 UTC
Move PR out of triage, there's no action to be done.
Comment 3 Thierry Thomas freebsd_committer 2014-11-23 20:11:54 UTC
See the discussion at
<http://blog.gmane.org/gmane.mail.imap.uw.c-client/month=20141001>.
Comment 4 Leif Velcro 2015-01-18 17:20:44 UTC
At this point, mail/imap-uw should probably be retired and replaced by mail/panda-imap.  It is based on imap-uw code and functions similarly, and is actually being maintained.  Similarly, mail/cclient has been replaced by panda-cclient.

Currently there is a notification that prevents you from building both at the same time (since they generate the same executables), but maybe it's time to pull the plug on imap-uw entirely.
Comment 5 Thierry Thomas freebsd_committer 2015-01-18 17:48:51 UTC
I submitted PR ports/195973 add the support of panda-cclient in lang/php5.

ATM I've not yet patched panda-cclient to reduce the list of ciphers, but this is doable.
Comment 6 Leif Velcro 2015-01-18 18:00:07 UTC
That would be a very nice feature, although it is less dire now that panda-imap will compile with an openssl that has had SSLv2/SSLv3 disabled in its config.  imap-uw crashes when you try to build it in that configuration, and without a means of modifying the cipher list, there was no way around the vulnerability.
Comment 7 Leif Velcro 2015-01-18 18:06:57 UTC
Actually, the part about imap-uw not building with those options might not be true.  It was the case that OTHER ports didn't build (although most of these have now been cleaned up), and I think that might have been what was preventing me from using openssl in that configuration.

Sorry for the confusion.

All that said, imap-uw development is at the end of the road and panda-imap is being actively maintained, so the original point stands.

And it's still true that a modifiable cipher list in panda-imap would be great.
Comment 8 w.schwarzenfeld freebsd_triage 2018-01-11 18:43:15 UTC
I think nothing will be changed with imap-uw. So I guess  this could be closed.