Dovecot 2.1.7 still accepting SSLv3 though disabled?
Hello,
I came across a strange problem with my Dovecot 2.1.7 installation (updated Debian Wheezy) in regards to SSL/TLS connections.
My configuration is as follows:
$ dovecot -n | grep ssl
service imap-login {
ssl = yes
...
}
ssl_cert = <......
ssl_cipher_list =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
ssl_key = <......
ssl_protocols = !SSLv3 !SSLv2This cipherstring has been taken from https://bettercrypto.org/static/applied-crypto-hardening.pdf. But this is not the problem, when I comment it out, Dovecot still behaves the same way.
When I enable verbose_ssl I get this:
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [$CLIENTIP]
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [$CLIENTIP]Is this right? Is SSLv3 used on this connection?
But when I explicitely test for SSLv3 support I get
$ openssl s_client -connect $SERVERIP:993 -ssl3
CONNECTED(00000003)
140683835029160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1426411304
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---Where I got this from says "if you you get a handshake failure, then you don't support SSLv3". But in my case the following output kinda says, that I do support it - with a ciphers of (NONE)?
In regards to libraries
$ ldd /usr/lib/dovecot/imap-login | grep ssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f1f55025000)
$ dpkg -l | grep ssl
ii libcrypt-openssl-bignum-perl 0.04-3 amd64 Access OpenSSL multiprecision integer arithmetic libraries
ii libcrypt-openssl-dsa-perl 0.13-6 amd64 module which implements the DSA signature verification system
ii libcrypt-openssl-rsa-perl 0.28-1 amd64 module for RSA encryption using OpenSSL
ii libcrypt-ssleay-perl 0.58-1 amd64 OpenSSL support for LWP
ii libio-socket-ssl-perl 1.76-2 all Perl module implementing object oriented interface to SSL sockets
ii libnet-ssleay-perl 1.48-1+b1 amd64 Perl module for Secure Sockets Layer (SSL)
rc libssl0.9.8 0.9.8o-4squeeze14 amd64 SSL shared libraries
ii libssl1.0.0:amd64 1.0.1e-2+deb7u14 amd64 SSL shared libraries
ii openssl 1.0.1e-2+deb7u14 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
ii openssl-blacklist 0.5-3 all Blacklists for OpenSSL RSA keys and tools
ii python-openssl 0.13-2+deb7u1 amd64 Python 2 wrapper around the OpenSSL library
ii ssl-cert 1.0.32 all simple debconf wrapper for OpenSSL
ii ssl-cert-check 3.22-1 all proactively handling X.509 certificate expiration
ii sslmate 0.6.2-1 all Buy and manage SSL certificates from the command lineMy NginX is using the same library, and this does indeed support TLSv2, so what I am doing wrong in my Dovecot configuration?
Any clues?
Regards
Thomas
-- www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415 GPG Fingerprint: CCBD 153A D257 CA7E A217 FDF7 5928 03D1 7588 9415
Thomas Preissler:
ssl_protocols = !SSLv3 !SSLv2
that disable SSLv3
When I enable verbose_ssl I get this: 2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001,
ret=1: SSLv3 flush data [$CLIENTIP] ... Is this right? Is SSLv3 used on this connection?
The logging is right, but SSLv3 isn't used. Today it's not uncommon that application /log/ SSLv3, where they /mean/ TLS1.x
Some days ago where TLSv1 became available there wasn't a great
difference between SSLv3 and TLSv1
So Developers reused large portions of code. That's what you see here..
But when I explicitely test for SSLv3 support I get
$ openssl s_client -connect $SERVERIP:993 -ssl3 CONNECTED(00000003) 140683835029160:error:14094410:SSLroutines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1260:SSL alert number 40 140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:598:
That is the ultimate prove your server have SSLv3 disabled.
Andreas
On Sun, Mar 15, 2015 at 02:42:00PM +0100, A. Schulze wrote:
Thomas Preissler: The logging is right, but SSLv3 isn't used. Today it's not uncommon that application /log/ SSLv3, where they /mean/ TLS1.x
Some days ago where TLSv1 became available there wasn't a great
difference between SSLv3 and TLSv1 So Developers reused large portions of code. That's what you see here..But when I explicitely test for SSLv3 support I get
$ openssl s_client -connect $SERVERIP:993 -ssl3 CONNECTED(00000003) 140683835029160:error:14094410:SSLroutines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1260:SSL alert number 40 140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:598:That is the ultimate prove your server have SSLv3 disabled.
Another fun trick for testing is nmap -p 993 --script ssl-enum-ciphers foo.example.com
You'll then see (if you've got a new enough version) something like:
[...] 993/tcp open imaps | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong [...]
w
participants (3)
-
A. Schulze
-
Thomas Preissler
-
Will Yardley