Re: openssl question
but i try to this command
openssl s_client -connect mail.mydomain:pop3s -starttls imap
it says CONNECTED and hang. second command is correct?
Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays).
If you're testing IMAP, try one or the other or both depending of how many flavours of SSL you got going.
openssl s_client -starttls imap -connect mail.mydomain:143
openssl s_client -connect mail.mydomain:993Joseph Tam jtam.home@gmail.com
Ok, i understand the difference.
openssl s_client -starttls imap -connect mail.mydomain:143 openssl s_client -connect mail.mydomain:993
these command runs as expected.
i know this forum isn2T about thunderbird but, when setup account in thunderbird 993 port and with SSL, i see this line on dovecot.log
TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
our dovecot (2.0.9 on redhat) 10-ssl.conf file we have
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3
settings.
this settings is correct for dovecot ? if they correct , can we say there is problem for thunderbird ? :)
thanks in advance
On Tue, Jan 9, 2018 at 3:59 AM, Joseph Tam jtam.home@gmail.com wrote:
but i try to this command
openssl s_client -connect mail.mydomain:pop3s -starttls imap
it says CONNECTED and hang. second command is correct?
Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays).
If you're testing IMAP, try one or the other or both depending of how many flavours of SSL you got going.
openssl s_client -starttls imap -connect mail.mydomain:143 openssl s_client -connect mail.mydomain:993Joseph Tam jtam.home@gmail.com
-- Selçuk YAZAR http://www.selcukyazar.blogspot.com
our dovecot (2.0.9 on redhat) 10-ssl.conf file we have
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:! aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3
settings.
this settings is correct for dovecot ? if they correct , can we say there is problem for thunderbird ? :)
I think you should fix your dovecot cipher list using the guidance from Mozilla's security team:
https://wiki.mozilla.org/Security/Server_Side_TLSIf your server is accessible from the web, you can run this test (it gives you very helpful advice for configuring your cipherlist):
https://www.htbridge.com/sslYou can also test your setup with the script from this site (you will have to download some files but you can run it even if your server is not connected to the internet).
https://testssl.sh/Ryan
participants (3)
-
Joseph Tam
-
Ryan Beethe
-
Selcuk Yazar