[Dovecot] How do I make dovecot not use sslv2 for pop?
From nmap:
995/tcp open ssl/pop3 Dovecot pop3d |_ sslv2: server still supports SSLv2 |_ pop3-capabilities: USER CAPA UIDL PIPELINING RESP-CODES TOP SASL(PLAIN LOGIN)
pop3 allows SSLv2, imap doesn't. In my dovecot.conf I have:
ssl_cipher_list = ALL:!LOW:!SSLv2
at the global level. Do I need to put it inside the protocol pop3{} section?
Patrick
From nmap:
995/tcp open ssl/pop3 Dovecot pop3d |_ sslv2: server still supports SSLv2 |_ pop3-capabilities: USER CAPA UIDL PIPELINING RESP-CODES TOP SASL(PLAIN LOGIN)
pop3 allows SSLv2, imap doesn't. In my dovecot.conf I have:
ssl_cipher_list = ALL:!LOW:!SSLv2
at the global level. Do I need to put it inside the protocol pop3{} section? Just a bump, still have the problem, why would dovecot support sslv2 for
Patrick Horgan wrote: pop, but not for imap, when it's configured to not support sslv2 at all?
Patrick
On Thu, 2010-01-28 at 15:23 -0800, Patrick Horgan wrote:
Just a bump, still have the problem, why would dovecot support sslv2 for pop, but not for imap, when it's configured to not support sslv2 at all?
I don't know why your nmap run would have shown only one of them supporting SSLv2, it should have shown both. And that's because I initialize OpenSSL with:
ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());So I guess what happens is that OpenSSL advertises that it supports SSLv2. But then the ssl_cipher_list's !SSLv2 doesn't let the SSLv2 handshake actually go through. So it's not really possible to use SSLv2. You can verify this with:
openssl s_client -ssl2 -connect localhost:995
Anyway.. I guess I should do something about this. Not really sure what, though.
On 29/01/2010 11:22 AM, Timo Sirainen wrote:
On Thu, 2010-01-28 at 15:23 -0800, Patrick Horgan wrote:
Just a bump, still have the problem, why would dovecot support sslv2 for pop, but not for imap, when it's configured to not support sslv2 at all?
I don't know why your nmap run would have shown only one of them supporting SSLv2, it should have shown both. And that's because I initialize OpenSSL with:
ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
So I guess what happens is that OpenSSL advertises that it supports SSLv2. But then the ssl_cipher_list's !SSLv2 doesn't let the SSLv2 handshake actually go through. So it's not really possible to use SSLv2. You can verify this with:
openssl s_client -ssl2 -connect localhost:995
Anyway.. I guess I should do something about this. Not really sure what, though.
Apache mod_ssl has both a SSLCipherSuite and SSLProtocol option.
SSLCipherSuite takes the same syntax as Dovecot's ssl_cipher_list. Dovecot doesn't have an equivalent of SSLProtocol.
in Apache: SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:-MD5:+HIGH:+MEDIUM:@STRENGTH |SSLProtocol all -SSLv2|
I'm not that fussed, but it would be good to be able to disable for completeness. (I'm more fussed by MSIE6 preventing me from defaulting to stronger ciphers for web servers - and defaulting to SSLv2 enabled, but TLS disabled).
Rob Middleton.
Timo Sirainen wrote:
So I guess what happens is that OpenSSL advertises that it supports SSLv2. But then the ssl_cipher_list's !SSLv2 doesn't let the SSLv2 handshake actually go through. So it's not really possible to use SSLv2. You can verify this with:
openssl s_client -ssl2 -connect localhost:995
CONNECTED(00000003) depth=0 /C=US/ST=California/L=Mountain View/O=Out of the Box Computing/CN=ootbcomp.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Out of the Box Computing/CN=ootbcomp.com verify return:1 10171:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
So you're saying that because the last line shows the cipher list stopping it, then the security problems with sslv2 can't bite me?
Patrick
participants (3)
-
Patrick Horgan
-
Rob Middleton
-
Timo Sirainen