Poodle and Kolab

hede kolab983 at der-he.de
Mon Oct 20 10:28:00 CEST 2014


Am Mon, 20 Oct 2014 10:01:18 +0200 schrieb Martin Schmid <martin.schmid at kesslernetworks.de>:

> i want to protect kolab ago poodle. My problem to protect my cyrus-imapd.
> I've tried to add these lines in my imapd.conf, but after i restart the 
> cyrus deamon my kolab and iphones didn't work.
> 
>   tls_cipher_list: TLSv1:!SSLv2:!SSLv3:!NULL:!EXPORT:!DES:@STRENGTH

The ciphers for TLSv1 are named SSLv3, so by disabling SSLv3 ciphers you also disabled TLSv1 and TLSv1.1. Not even TLSv1.2 is working then, even this ciphers are not named SSLv3.

Check this by issuing:
openssl ciphers -v 'TLSv1:SSLv3'
and
openssl ciphers -v 'TLSv1:!SSLv3'

There's some patch at the cyrus mailinglist from Kristian, which addresses this:
http://comments.gmane.org/gmane.mail.imap.cyrus/38161

For now - AFAIK - it's not possible to harden cyrus this way, except by hardening it to TLSv1.2 only:
openssl ciphers -v 'TLSv1.2:!SSLv3'

regards
hede


More information about the users mailing list