Re: [exim] TLS renegotiation CVE-2011-1473 BUG

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] TLS renegotiation CVE-2011-1473 BUG
On 20/06/16 07:18, Sandeep Singh wrote:
> I want to fix the TLS renegotiation in exim ( CVE-2011-1473 ). I tried a
> lot but not able to find the right option in exim.conf.


There isn't one.

>From the CVE description it isn't clear that it's worth addressing. It

looks like the coding required is to add a callback for a
(re)negotiation event, failing any but the first (or possibly
rate_limiting them). Quite a lot of complexity for an attack just
as simply done by multiple connections. Admittedly the latter
has more visibility to admins.
--
Cheers,
Jeremy