[Dovecot] compressed IMAP traffic

Leonardo Rodrigues leolistas at solutti.com.br
Tue Sep 29 13:33:13 EEST 2009 

    well ..... here for me, with 'openssl s_client', i cant even connect 
when using -ssl2:

[root at correio ~]# openssl s_client -connect localhost:993 -ssl2
[ ... ]
27110:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher 
list:s2_clnt.c:450:
[root at correio ~]#

    but that's probably because i have on dovecot.conf:

ssl_cipher_list = ALL:!LOW:!SSLv2


    with ssl3 and tls1 i can connect and see the zlib compression being 
enabled.

SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
[ ..... ]
   Compression: 1 (zlib compression)

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
[ ..... ]
   Compression: 1 (zlib compression)


    Thunderbird has the options to enable/disable each cipher of 
ssl2/ssl3/tls1 as well as disable them completly too. Here in my 
Thunderbird 2.0.0.23, SSLv2 is disabled, and this is certainly the 
default configs, as i never tweaked this.

http://img43.imageshack.us/img43/7937/thunderbirdssl2.jpg


    logging from dovecot shows clearly that i'm using TLSv1 to connect 
...  it also shows that TLSv1 connections from thunderbird do not use 
compression, and connections from gnutls-cli correctly enables that


thunderbird 2.0.0.23
Sep 29 07:12:02 correio dovecot: imap-login: Login: 
user=<mail at box.com.br>, method=PLAIN, rip=189.114.xx.xx, 
lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)


gnutls-cli
Sep 28 18:36:54 correio dovecot: imap-login: Login: 
user=<mail at box.com.br>, method=PLAIN, rip=189.11.xx.xx, 
lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
bits) zlib compression


    wireshack confirms i'm using TLSv1 and also shows Thunderbird is 
announcing no compression is supported.


http://img33.imageshack.us/img33/9011/wiresharktlsv1.jpg


    so ..... despite the known fact that SSLv2 cant be used if 
compression is wanted, using SSLv3 and TLSv1 apparently does not 
automatically guarantees that .....


Patrick Domack escreveu:
> More testing, seems all my imap clients attempt to use ssl2 first, and 
> from the openssl mailing list:
>
>   Oops, should've made this clearer. It is only clients than need to 
> avoid the
>   old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs 
> to be
>   done to a server.
>   http://www.mail-archive.com/openssl-users@openssl.org/msg49926.html
>
> This is confirmed using openssl s_client -connect host:993 
> (-ssl3|-tls1|-ssl2)
>
> I don't see any way around this globally, unless each program has a 
> config option to disable ssl2.


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

More information about the dovecot mailing list