More testing, seems all my imap clients attempt to use ssl2 first, and
from the openssl mailing list:
Oops, should've made this clearer. It is only clients than need to avoid the old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs to be done to a server. http://www.mail-archive.com/openssl-users@openssl.org/msg49926.html
This is confirmed using openssl s_client -connect host:993 (-ssl3|-tls1|-ssl2)
I don't see any way around this globally, unless each program has a
config option to disable ssl2.
Quoting Patrick Domack patrickdk@patrickdk.com:
Ok last info.
using OpenSSL 0.9.8g openssl s_client -connect host:993
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 1E5412EC32463E66FC75D761A4D48CF6ED416187F32A81F6DAC3DA4E9028E2DE Session-ID-ctx: Master-Key: B0E15199867D8B48F31F8776C7E439542F4D1A7B33239814CE0C5FF564CB007DE431E9357DF120E7AF347CD1E934CE83 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1254198546 Timeout : 7200 (sec)
Quoting Patrick Domack patrickdk@patrickdk.com:
Just playing some more and noticed using: gnutls-cli (GnuTLS) 2.4.2
always says compression isn't supported, even when version 2.0.4
says it was.gnutls-cli 2.4.2 from ubuntu 9.04 x64, Compression: DEFLATE, NULL
gnutls-cli 2.0.4 from ubuntu 8.04 x64, Compression: LZO, DEFLATE, NULL
I also noticed 2.4.2 would connect using aes-128, whereas 2.0.4 would connect using aes-256
Quoting Patrick Domack patrickdk@patrickdk.com:
The command I used was:
gnutls-cli --protocols NORMAL:+COMP-DEFLATE --insecure -p 993
I have tried the --comp option, but it always fails for me (ubuntu 8.04)
gnutls-cli (GnuTLS) 2.0.4
Redhat is 5.3 Freebsd is 6.3
Quoting Leonardo Rodrigues leolistas@solutti.com.br:
Timo Sirainen escreveu:
And DEFLATE gives the exact same error? LZO isn't supported by OpenSSL.
yes ... error from DEFLATE and LZO are exactly the same on gnutls-cli output and maillog on the CentOS 5.3 box.
Well, not the same server but looks like this one works too:
gnutls-cli --priority NORMAL:+COMP-DEFLATE -p 993 secure.emailsrvr.com
And just for fun I tried imap.gmail.com, that didn't support compression.
i had tried imap.gmail.com too :)
interesting findings ..... from CentOS 5.3, i cant get any compression method to work:
[root@correio dovecot]# gnutls-cli --insecure -p 993 -p 993 secure.emailsrvr.com --comp LZO DEFLATE NULL [ ......]
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
but from a Fedora 8 box:
[root@correio ~]# gnutls-cli --insecure -p 993 -p 993 secure.emailsrvr.com --comp LZO DEFLATE NULL [ ......]
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: DEFLATE
and Fedora 8 OpenSSL is even older than CentOS 5.3 one:
CentOS 5.3: [root@correio dovecot]# rpm -qi openssl Name : openssl Relocations: (not relocatable) Version : 0.9.8e Vendor: CentOS Release : 12.el5 Build Date: Fri 04 Sep 2009 09:33:56 AM BRT
Fedora 8: [root@correio ~]# rpm -qi openssl Name : openssl Relocations: (not relocatable) Version : 0.9.8b Vendor: Fedora Project Release : 17.fc8 Build Date: Mon 15 Oct 2007 07:56:22 PM BRST
probably there's some build option on CentOS that is disabling compression. If 0.9.8b on Fedora8 built in October/2007 can do it, so 0.9.8e on CentOS 5.3 built on September/2009 should be able to do it too ....... oh boy, i really hate those weirds compilation options from Redhat .... :\
--
Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it