[Dovecot] How do I make dovecot not use sslv2 for pop?
Rob Middleton
robm-dovecot at centenary.org.au
Fri Jan 29 03:14:45 EET 2010
On 29/01/2010 11:22 AM, Timo Sirainen wrote:
> On Thu, 2010-01-28 at 15:23 -0800, Patrick Horgan wrote:
>
>
>> Just a bump, still have the problem, why would dovecot support sslv2 for
>> pop, but not for imap, when it's configured to not support sslv2 at all?
>>
> I don't know why your nmap run would have shown only one of them
> supporting SSLv2, it should have shown both. And that's because I
> initialize OpenSSL with:
>
> ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
>
> So I guess what happens is that OpenSSL advertises that it supports
> SSLv2. But then the ssl_cipher_list's !SSLv2 doesn't let the SSLv2
> handshake actually go through. So it's not really possible to use SSLv2.
> You can verify this with:
>
> openssl s_client -ssl2 -connect localhost:995
>
> Anyway.. I guess I should do something about this. Not really sure what,
> though.
>
Apache mod_ssl has both a SSLCipherSuite and SSLProtocol option.
SSLCipherSuite takes the same syntax as Dovecot's ssl_cipher_list.
Dovecot doesn't have an equivalent of SSLProtocol.
in Apache:
SSLCipherSuite
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:-MD5:+HIGH:+MEDIUM:@STRENGTH
|SSLProtocol all -SSLv2|
I'm not that fussed, but it would be good to be able to disable for
completeness. (I'm more fussed by MSIE6 preventing me from defaulting to
stronger ciphers for web servers - and defaulting to SSLv2 enabled, but
TLS disabled).
Rob Middleton.
More information about the dovecot
mailing list