Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Disabling SSL3 in courier-imap
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
basiaf
n00b
n00b


Joined: 25 Feb 2005
Posts: 44
Location: Dortmund

PostPosted: Wed Mar 02, 2016 4:51 pm    Post subject: Disabling SSL3 in courier-imap Reply with quote

In the course of revising and verifying my ssl settings I came across courier-imap (4.16.2) still accepting SSL3 connections. I'm using the lastest openssl (1.0.2g-r1) and checked the connections with
Code:
openssl s_client -connect localhost:993 -ssl3

I tried various settings in /etc/courier-imap/imapd-ssl for TLS_PROTOCOL (=TLS1, = TLS1:!SSL3, =TLSv1.2,...) and restarting the service upon change, but it seems the settings are ignored. I also tried disabling the SSL3 ciphers in TLS_CIPHER_LIST.
Can anybody verify this problem or point me in the right direction?
Back to top
View user's profile Send private message
gkmac
Guru
Guru


Joined: 19 Jan 2003
Posts: 333
Location: West Sussex, UK

PostPosted: Wed Mar 02, 2016 8:56 pm    Post subject: Re: Disabling SSL3 in courier-imap Reply with quote

basiaf wrote:
...and restarting the service upon change...
I don't use courier-imap anymore, but I remember it had multiple services for each connection type such as courier-pop3d which was the one I used.

Each of those services depended on another service called courier-authlib. Check that you're restarting that one as well.
_________________
If ~amd64 ebuilds are cutting edge, then git-9999 ebuilds are chainsaws.
"Not everyone can ride a unicycle, does that mean we should put another wheel on it?" - Lokheed
Back to top
View user's profile Send private message
basiaf
n00b
n00b


Joined: 25 Feb 2005
Posts: 44
Location: Dortmund

PostPosted: Wed Mar 02, 2016 11:42 pm    Post subject: Reply with quote

Yes, I restarted that service during my tests. I don't know if this is gentoo specific, as the same config seems to work fine on a debian system. I'll check back on that tomorrow.
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Thu Mar 03, 2016 9:59 am    Post subject: Re: Disabling SSL3 in courier-imap Reply with quote

basiaf wrote:
In the course of revising and verifying my ssl settings I came across courier-imap (4.16.2) still accepting SSL3 connections. I'm using the lastest openssl (1.0.2g-r1) and checked the connections with
Code:
openssl s_client -connect localhost:993 -ssl3

I tried various settings in /etc/courier-imap/imapd-ssl for TLS_PROTOCOL (=TLS1, = TLS1:!SSL3, =TLSv1.2,...) and restarting the service upon change, but it seems the settings are ignored. I also tried disabling the SSL3 ciphers in TLS_CIPHER_LIST.
Can anybody verify this problem or point me in the right direction?


http://disablessl3.com/#courier
Back to top
View user's profile Send private message
basiaf
n00b
n00b


Joined: 25 Feb 2005
Posts: 44
Location: Dortmund

PostPosted: Thu Mar 03, 2016 1:38 pm    Post subject: Reply with quote

Yes, that was one of the first things I checked. Everything is in order. Same config works fine on a debian system.
Code:
SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl -facility=mail"
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
COURIERTLS=/usr/sbin/couriertls
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!DSS"
TLS_DHPARAMS=/etc/courier-imap/dh2048.pem
...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum