On Sun, Mar 15, 2015 at 02:42:00PM +0100, A. Schulze wrote:
Thomas Preissler: The logging is right, but SSLv3 isn't used. Today it's not uncommon that application /log/ SSLv3, where they /mean/ TLS1.x
Some days ago where TLSv1 became available there wasn't a great
difference between SSLv3 and TLSv1 So Developers reused large portions of code. That's what you see here..But when I explicitely test for SSLv3 support I get
$ openssl s_client -connect $SERVERIP:993 -ssl3 CONNECTED(00000003) 140683835029160:error:14094410:SSLroutines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1260:SSL alert number 40 140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:598:That is the ultimate prove your server have SSLv3 disabled.
Another fun trick for testing is nmap -p 993 --script ssl-enum-ciphers foo.example.com
You'll then see (if you've got a new enough version) something like:
[...] 993/tcp open imaps | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong [...]
w