Dovecot 2.1.7 still accepting SSLv3 though disabled?
A. Schulze
sca at andreasschulze.de
Sun Mar 15 13:42:00 UTC 2015
Thomas Preissler:
> ssl_protocols = !SSLv3 !SSLv2
that disable SSLv3
> When I enable verbose_ssl I get this:
> 2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001,
> ret=1: SSLv3 flush data [$CLIENTIP]
> ...
> Is this right? Is SSLv3 used on this connection?
The logging is right, but SSLv3 isn't used.
Today it's not uncommon that application /log/ SSLv3, where they /mean/ TLS1.x
Some days ago where TLSv1 became available there wasn't a great
difference between SSLv3 and TLSv1
So Developers reused large portions of code. That's what you see here..
> But when I explicitely test for SSLv3 support I get
>
> $ openssl s_client -connect $SERVERIP:993 -ssl3
>
> CONNECTED(00000003)
> 140683835029160:error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1260:SSL alert number 40
> 140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure:s3_pkt.c:598:
That is the ultimate prove your server have SSLv3 disabled.
Andreas
More information about the dovecot
mailing list