Hi Mark,

I think I may not have been clear enough in my query, sorry!

What I'm trying to do is to prevent SSLv2 connections being made to our IMAP server while allowing SSLv3 and TLSv1 connections. I think I've prevented the use of SSLv2 ciphers but this does not prevent SSLv2 protocol connections (as far as I can tell).

(Once connected, the SSLv2 client finds it has no ciphers so the session fails at that point but this is not enough to satisfy our security audit. I want to disable the use of the SSLv2 protocol itself, not just the SSLv2 ciphers)

steve.platt@mrc-bsu.cam.ac.uk said:

I see Dovecot2 had the following change a year or so ago, in file src/ login-common/ssl-proxy-openssl.c:

•   SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);

•   SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);

I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect ...

I'm testing this by using:

openssl s_client -ssl2 -connect mailhost:993

This should fail immediately with "ssl handshake failure" (for a happy audit!).

Thanks again, Steve