Re: [Dovecot] compressed IMAP traffic

29 Sep 2009


      well ..... here for me, with 'openssl s_client', i cant even connect 
when using -ssl2:
[root@correio ~]# openssl s_client -connect localhost:993 -ssl2
[ ... ]
27110:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
list:s2_clnt.c:450:
[root@correio ~]#
but that's probably because i have on dovecot.conf:
ssl_cipher_list = ALL:!LOW:!SSLv2
with ssl3 and tls1 i can connect and see the zlib compression being 
enabled.
SSL-Session:
Protocol  : SSLv3
Cipher    : DHE-RSA-AES256-SHA
[ ..... ]
Compression: 1 (zlib compression)
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
[ ..... ]
Compression: 1 (zlib compression)
Thunderbird has the options to enable/disable each cipher of 
ssl2/ssl3/tls1 as well as disable them completly too. Here in my
Thunderbird 2.0.0.23, SSLv2 is disabled, and this is certainly the
default configs, as i never tweaked this.
http://img43.imageshack.us/img43/7937/thunderbirdssl2.jpg
logging from dovecot shows clearly that i'm using TLSv1 to connect 
...  it also shows that TLSv1 connections from thunderbird do not use
compression, and connections from gnutls-cli correctly enables that
thunderbird 2.0.0.23
Sep 29 07:12:02 correio dovecot: imap-login: Login:
user=mail@box.com.br, method=PLAIN, rip=189.114.xx.xx,
lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
gnutls-cli
Sep 28 18:36:54 correio dovecot: imap-login: Login:
user=mail@box.com.br, method=PLAIN, rip=189.11.xx.xx,
lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
bits) zlib compression
wireshack confirms i'm using TLSv1 and also shows Thunderbird is 
announcing no compression is supported.
http://img33.imageshack.us/img33/9011/wiresharktlsv1.jpg
so ..... despite the known fact that SSLv2 cant be used if 
compression is wanted, using SSLv3 and TLSv1 apparently does not
automatically guarantees that .....
Patrick Domack escreveu:
...
More testing, seems all my imap clients attempt to use ssl2 first, and
from the openssl mailing list:
Oops, should've made this clearer. It is only clients than need to
avoid the
old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs
to be
done to a server.
http://www.mail-archive.com/openssl-users@openssl.org/msg49926.html
This is confirmed using openssl s_client -connect host:993
(-ssl3|-tls1|-ssl2)
I don't see any way around this globally, unless each program has a
config option to disable ssl2.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it