Poodle and Kolab
hede
kolab983 at der-he.de
Thu Oct 23 10:11:43 CEST 2014
Am Thu, 23 Oct 2014 01:13:19 +0400 schrieb dsp3 <info at dsp3.org>:
> Have you tried listing the individual ciphers in order? Try the
> following.
> tls_cipher_list:
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS
With OpenSSL all tls1 and tls1.1 ciphers are also ssl3 ciphers, they are shared.
Try listing your cipher list with openssl:
openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS'
If it lists SSLv3 and TLSv1.2 in the second column, then SSLv3 is probably enabled.
Simply test encryption via openssl command line:
openssl s_client -connect [serveraddress]:imaps -tls1
openssl s_client -connect [serveraddress]:imaps -ssl3
While the former should offer you a connection:
* OK [CAPABILITY IMAP4rev1 ...
the latter should simply fail and return back to the calling shell.
Well, while limiting ciphers maybe is an additional security option to limit ssl/tls to strong encryptiom, this list seems not sufficient to limit OpenSSL to TLS and not using SSLv3.
With a patched cyrus and the following line in imapd.conf:
tls_versions: tls1_0 tls1_1 tls1_2
... the ssl3 test above fails and returns to shell as expected.
regards
hede
More information about the users
mailing list