well ..... here for me, with 'openssl s_client', i cant even connect
when using -ssl2:
[root@correio ~]# openssl s_client -connect localhost:993 -ssl2 [ ... ] 27110:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450: [root@correio ~]#
but that's probably because i have on dovecot.conf:
ssl_cipher_list = ALL:!LOW:!SSLv2
with ssl3 and tls1 i can connect and see the zlib compression being
enabled.
SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA [ ..... ] Compression: 1 (zlib compression)
SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA [ ..... ] Compression: 1 (zlib compression)
Thunderbird has the options to enable/disable each cipher of
ssl2/ssl3/tls1 as well as disable them completly too. Here in my Thunderbird 2.0.0.23, SSLv2 is disabled, and this is certainly the default configs, as i never tweaked this.
http://img43.imageshack.us/img43/7937/thunderbirdssl2.jpg
logging from dovecot shows clearly that i'm using TLSv1 to connect
... it also shows that TLSv1 connections from thunderbird do not use compression, and connections from gnutls-cli correctly enables that
thunderbird 2.0.0.23 Sep 29 07:12:02 correio dovecot: imap-login: Login: user=<mail@box.com.br>, method=PLAIN, rip=189.114.xx.xx, lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
gnutls-cli Sep 28 18:36:54 correio dovecot: imap-login: Login: user=<mail@box.com.br>, method=PLAIN, rip=189.11.xx.xx, lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) zlib compression
wireshack confirms i'm using TLSv1 and also shows Thunderbird is
announcing no compression is supported.
http://img33.imageshack.us/img33/9011/wiresharktlsv1.jpg
so ..... despite the known fact that SSLv2 cant be used if
compression is wanted, using SSLv3 and TLSv1 apparently does not automatically guarantees that .....
Patrick Domack escreveu:
More testing, seems all my imap clients attempt to use ssl2 first, and from the openssl mailing list:
Oops, should've made this clearer. It is only clients than need to avoid the old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs to be done to a server. http://www.mail-archive.com/openssl-users@openssl.org/msg49926.html
This is confirmed using openssl s_client -connect host:993 (-ssl3|-tls1|-ssl2)
I don't see any way around this globally, unless each program has a config option to disable ssl2.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it