Dovecot 2.1.7 still accepting SSLv3 though disabled?
Will Yardley
dovecot.org at veggiechinese.net
Tue Mar 17 04:54:49 UTC 2015
On Sun, Mar 15, 2015 at 02:42:00PM +0100, A. Schulze wrote:
> Thomas Preissler:
> The logging is right, but SSLv3 isn't used.
> Today it's not uncommon that application /log/ SSLv3, where they /mean/ TLS1.x
>
> Some days ago where TLSv1 became available there wasn't a great
> difference between SSLv3 and TLSv1
> So Developers reused large portions of code. That's what you see here..
>
> > But when I explicitely test for SSLv3 support I get
> >
> > $ openssl s_client -connect $SERVERIP:993 -ssl3
> >
> > CONNECTED(00000003)
> > 140683835029160:error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> > failure:s3_pkt.c:1260:SSL alert number 40
> > 140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> > handshake failure:s3_pkt.c:598:
>
> That is the ultimate prove your server have SSLv3 disabled.
Another fun trick for testing is
nmap -p 993 --script ssl-enum-ciphers foo.example.com
You'll then see (if you've got a new enough version) something like:
[...]
993/tcp open imaps
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
[...]
w
More information about the dovecot
mailing list