2

I cannot disable SSLv2\v3 in courier-imap.

In imapd-ssl config I have following:

TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"

According, to openssl - SSL is disabled by this entry

[root@a10-52-79-181 ~]# openssl ciphers -v 'ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
... and rest of output is only related to TLS, nothing for SSL

So far - looks good. But...

openssl s_client -connect localhost:993 -ssl3 | grep "Protocol"
Protocol  : SSLv3

Same for "-ssl2". Courier was restarted multiple times - no help. If we run openssl without specifying cipher - TLS correctly used. But how to finally disable SSL?

Note - I don't want to change TLS_CIPHER_LIST - I want to understand, why it seems correct, but not working as intended?

Starl1ght
  • 123
  • 4

1 Answers1

1

As @Steffen-ulrich already pointed out in the comments, you only disabled the SSLv3-ciphers in the cipher list. The SSLv3 ciphers and the SSLv3 protocol are related, but not the same, as disabling the ciphers, does not disable the protocol. And disabling the protocol, does not disable the ciphers.

To disable SSL in dovecot, use this:

ssl_protocols = !SSLv3 !SSLv2

Also, I don't know of a parameter called tls_cipher_list, but there's ssl_cipher_list. I also encourage you to set ssl_prefer_server_ciphers = yes and give preferences for ciphers in the cipher's list, as recommended by Bettercrypto.org in Applied Crypto Hardening:

# SSL protocols to use
ssl_protocols = !SSLv3 !SSLv2
# SSL ciphers to use
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
sebix
  • 4,175
  • 2
  • 25
  • 45