<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>In case it helps, here are the results of testssl.sh:</p>
<p><br>
</p>
<p><tt><a class="moz-txt-link-abbreviated" href="mailto:jervin@MiniUntu:~/testssl/testssl.sh$">jervin@MiniUntu:~/testssl/testssl.sh$</a> ./testssl.sh
kumo.kites.org:993</tt><tt><br>
</tt><tt><br>
</tt><tt>###########################################################</tt><tt><br>
</tt><tt> testssl.sh 3.0rc5 from <a class="moz-txt-link-freetext" href="https://testssl.sh/dev/">https://testssl.sh/dev/</a></tt><tt><br>
</tt><tt> (35c69be 2019-10-02 17:53:37 -- )</tt><tt><br>
</tt><tt><br>
</tt><tt> This program is free software. Distribution and</tt><tt><br>
</tt><tt> modification under GPLv2 permitted.</tt><tt><br>
</tt><tt> USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!</tt><tt><br>
</tt><tt><br>
</tt><tt> Please file bugs @ <a class="moz-txt-link-freetext" href="https://testssl.sh/bugs/">https://testssl.sh/bugs/</a></tt><tt><br>
</tt><tt><br>
</tt><tt>###########################################################</tt><tt><br>
</tt><tt><br>
</tt><tt> Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]</tt><tt><br>
</tt><tt> on MiniUntu:./bin/openssl.Linux.x86_64</tt><tt><br>
</tt><tt> (built: "Jan 18 17:12:17 2019", platform:
"linux-x86_64")</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Start 2019-10-11 07:28:20 -->>
3.222.54.62:993 (kumo.kites.org) <<--</tt><tt><br>
</tt><tt><br>
</tt><tt> rDNS (3.222.54.62): kumo.kites.org.</tt><tt><br>
</tt><tt> Service detected: IMAP, thus skipping HTTP
specific checks</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing protocols via sockets except NPN+ALPN </tt><tt><br>
</tt><tt><br>
</tt><tt> SSLv2 not offered (OK)</tt><tt><br>
</tt><tt> SSLv3 not offered (OK)</tt><tt><br>
</tt><tt> TLS 1 offered (deprecated)</tt><tt><br>
</tt><tt> TLS 1.1 offered (deprecated)</tt><tt><br>
</tt><tt> TLS 1.2 offered (OK)</tt><tt><br>
</tt><tt> TLS 1.3 offered (OK): final</tt><tt><br>
</tt><tt> NPN/SPDY not offered</tt><tt><br>
</tt><tt> ALPN/HTTP2 not offered</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing cipher categories </tt><tt><br>
</tt><tt><br>
</tt><tt> NULL ciphers (no encryption) not
offered (OK)</tt><tt><br>
</tt><tt> Anonymous NULL Ciphers (no authentication) not
offered (OK)</tt><tt><br>
</tt><tt> Export ciphers (w/o ADH+NULL) not
offered (OK)</tt><tt><br>
</tt><tt> LOW: 64 Bit + DES, RC[2,4] (w/o export) not
offered (OK)</tt><tt><br>
</tt><tt> Triple DES Ciphers / IDEA not
offered (OK)</tt><tt><br>
</tt><tt> Average: SEED + 128+256 Bit CBC ciphers offered</tt><tt><br>
</tt><tt> Strong encryption (AEAD ciphers) offered
(OK)</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing robust (perfect) forward secrecy, (P)FS --
omitting Null Authentication/Encryption, 3DES, RC4 </tt><tt><br>
</tt><tt><br>
</tt><tt> PFS is offered (OK) TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256</tt><tt><br>
</tt><tt> ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA</tt><tt><br>
</tt><tt> DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305</tt><tt><br>
</tt><tt> DHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM</tt><tt><br>
</tt><tt> DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA ECDHE-RSA-CAMELLIA256-SHA384</tt><tt><br>
</tt><tt> DHE-RSA-CAMELLIA256-SHA256
DHE-RSA-CAMELLIA256-SHA</tt><tt><br>
</tt><tt> DHE-RSA-ARIA256-GCM-SHA384
ECDHE-ARIA256-GCM-SHA384</tt><tt><br>
</tt><tt> TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256</tt><tt><br>
</tt><tt> ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256</tt><tt><br>
</tt><tt> DHE-RSA-AES128-CCM8
DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256</tt><tt><br>
</tt><tt> DHE-RSA-AES128-SHA
ECDHE-RSA-CAMELLIA128-SHA256</tt><tt><br>
</tt><tt> DHE-RSA-CAMELLIA128-SHA256
DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA</tt><tt><br>
</tt><tt> DHE-RSA-ARIA128-GCM-SHA256
ECDHE-ARIA128-GCM-SHA256 </tt><tt><br>
</tt><tt> Elliptic curves offered: secp384r1 </tt><tt><br>
</tt><tt> DH group offered: Unknown DH group (1024
bits)</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing server preferences </tt><tt><br>
</tt><tt><br>
</tt><tt> Has server cipher order? yes (OK) -- only for <
TLS 1.3</tt><tt><br>
</tt><tt> Negotiated protocol TLSv1.3</tt><tt><br>
</tt><tt> Negotiated cipher TLS_AES_256_GCM_SHA384, 384
bit ECDH (P-384)</tt><tt><br>
</tt><tt> Cipher order</tt><tt><br>
</tt><tt> TLSv1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA AES256-SHA</tt><tt><br>
</tt><tt> CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA</tt><tt><br>
</tt><tt> DHE-RSA-CAMELLIA128-SHA AES128-SHA
SEED-SHA CAMELLIA128-SHA </tt><tt><br>
</tt><tt> TLSv1.1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA AES256-SHA</tt><tt><br>
</tt><tt> CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA</tt><tt><br>
</tt><tt> DHE-RSA-CAMELLIA128-SHA AES128-SHA
SEED-SHA CAMELLIA128-SHA </tt><tt><br>
</tt><tt> TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA</tt><tt><br>
</tt><tt> DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305</tt><tt><br>
</tt><tt> DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM
DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA</tt><tt><br>
</tt><tt> ECDHE-RSA-CAMELLIA256-SHA384
DHE-RSA-CAMELLIA256-SHA256 DHE-RSA-CAMELLIA256-SHA</tt><tt><br>
</tt><tt> AES256-GCM-SHA384 AES256-CCM8 AES256-CCM
AES256-SHA256 AES256-SHA CAMELLIA256-SHA256</tt><tt><br>
</tt><tt> CAMELLIA256-SHA ARIA256-GCM-SHA384
DHE-RSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384</tt><tt><br>
</tt><tt> ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA</tt><tt><br>
</tt><tt> DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM AES128-CCM8 AES128-CCM</tt><tt><br>
</tt><tt> DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA
ECDHE-RSA-CAMELLIA128-SHA256</tt><tt><br>
</tt><tt> DHE-RSA-CAMELLIA128-SHA256
DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256</tt><tt><br>
</tt><tt> AES128-SHA256 AES128-SHA
CAMELLIA128-SHA256 SEED-SHA CAMELLIA128-SHA ARIA128-GCM-SHA256</tt><tt><br>
</tt><tt> DHE-RSA-ARIA128-GCM-SHA256
ECDHE-ARIA128-GCM-SHA256 </tt><tt><br>
</tt><tt> TLSv1.3: TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 </tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing server defaults (Server Hello) </tt><tt><br>
</tt><tt><br>
</tt><tt> TLS extensions (standard) "renegotiation info/#65281"
"server name/#0" "EC point formats/#11"</tt><tt><br>
</tt><tt> "session ticket/#35"
"supported versions/#43" "key share/#51"</tt><tt><br>
</tt><tt> "max fragment length/#1"
"encrypt-then-mac/#22"</tt><tt><br>
</tt><tt> "extended master
secret/#23"</tt><tt><br>
</tt><tt> Session Ticket RFC 5077 hint 7200 seconds, session
tickets keys seems to be rotated < daily</tt><tt><br>
</tt><tt> SSL Session ID support yes</tt><tt><br>
</tt><tt> Session Resumption Tickets no, ID: no</tt><tt><br>
</tt><tt> TLS clock skew Random values, no
fingerprinting possible </tt><tt><br>
</tt><tt> Signature Algorithm SHA256 with RSA</tt><tt><br>
</tt><tt> Server key size RSA 2048 bits</tt><tt><br>
</tt><tt> Server key usage Digital Signature, Key
Encipherment</tt><tt><br>
</tt><tt> Server extended key usage TLS Web Server
Authentication, TLS Web Client Authentication</tt><tt><br>
</tt><tt> Serial / Fingerprints
F451FC38110BD0CC08D03E6975C05AC0 / SHA1
5EB402C1FB4020C1697E48931F68D11145D48F43</tt><tt><br>
</tt><tt> SHA256
C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0</tt><tt><br>
</tt><tt> Common Name (CN) kumo.kites.org</tt><tt><br>
</tt><tt> subjectAltName (SAN) kumo.kites.org
<a class="moz-txt-link-abbreviated" href="http://www.kumo.kites.org">www.kumo.kites.org</a> </tt><tt><br>
</tt><tt> Issuer Sectigo RSA Domain
Validation Secure Server CA (Sectigo Limited from GB)</tt><tt><br>
</tt><tt> Trust (hostname) Ok via SAN and CN (same w/o
SNI)</tt><tt><br>
</tt><tt> Chain of trust Ok </tt><tt><br>
</tt><tt> EV cert (experimental) no </tt><tt><br>
</tt><tt> ETS/"eTLS", visibility info not present</tt><tt><br>
</tt><tt> Certificate Validity (UTC) 364 >= 60 days
(2019-10-10 20:00 --> 2020-10-09 19:59)</tt><tt><br>
</tt><tt> # of certificates provided 6 (certificate list
ordering problem)</tt><tt><br>
</tt><tt> Certificate Revocation List --</tt><tt><br>
</tt><tt> OCSP URI <a class="moz-txt-link-freetext" href="http://ocsp.sectigo.com">http://ocsp.sectigo.com</a></tt><tt><br>
</tt><tt> OCSP stapling not offered</tt><tt><br>
</tt><tt> OCSP must staple extension --</tt><tt><br>
</tt><tt> DNS CAA RR (experimental) not offered</tt><tt><br>
</tt><tt> Certificate Transparency yes (certificate extension)</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing vulnerabilities </tt><tt><br>
</tt><tt><br>
</tt><tt> Heartbleed (CVE-2014-0160) not vulnerable
(OK), no heartbeat extension</tt><tt><br>
</tt><tt> CCS (CVE-2014-0224) not vulnerable
(OK)</tt><tt><br>
</tt><tt> Ticketbleed (CVE-2016-9244), experiment. --
(applicable only for HTTPS)</tt><tt><br>
</tt><tt> ROBOT not vulnerable
(OK)</tt><tt><br>
</tt><tt> Secure Renegotiation (RFC 5746) supported (OK)</tt><tt><br>
</tt><tt> Secure Client-Initiated Renegotiation not vulnerable
(OK)</tt><tt><br>
</tt><tt> CRIME, TLS (CVE-2012-4929) not vulnerable
(OK) (not using HTTP anyway)</tt><tt><br>
</tt><tt> POODLE, SSL (CVE-2014-3566) not vulnerable
(OK)</tt><tt><br>
</tt><tt> TLS_FALLBACK_SCSV (RFC 7507) Downgrade
attack prevention supported (OK)</tt><tt><br>
</tt><tt> SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable
(OK)</tt><tt><br>
</tt><tt> FREAK (CVE-2015-0204) not vulnerable
(OK)</tt><tt><br>
</tt><tt> DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable
on this host and port (OK)</tt><tt><br>
</tt><tt> make sure you
don't use this certificate elsewhere with SSLv2 enabled services</tt><tt><br>
</tt><tt>
<a class="moz-txt-link-freetext" href="https://censys.io/ipv4?q=C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0">https://censys.io/ipv4?q=C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0</a>
could help you to find out</tt><tt><br>
</tt><tt> LOGJAM (CVE-2015-4000), experimental not vulnerable
(OK): no DH EXPORT ciphers</tt><tt><br>
</tt><tt> But: Unknown
DH group (1024 bits)</tt><tt><br>
</tt><tt> BEAST (CVE-2011-3389) TLS1:
ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA</tt><tt><br>
</tt><tt>
DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA</tt><tt><br>
</tt><tt>
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA</tt><tt><br>
</tt><tt>
DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA</tt><tt><br>
</tt><tt> SEED-SHA
CAMELLIA128-SHA </tt><tt><br>
</tt><tt> VULNERABLE --
but also supports higher protocols TLSv1.1 TLSv1.2 (likely
mitigated)</tt><tt><br>
</tt><tt> LUCKY13 (CVE-2013-0169), experimental potentially
VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS.
Check patches</tt><tt><br>
</tt><tt> RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers
detected (OK)</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Testing 370 ciphers via OpenSSL plus sockets against the
server, ordered by encryption strength </tt><tt><br>
</tt><tt><br>
</tt><tt>Hexcode Cipher Suite Name (OpenSSL) KeyExch.
Encryption Bits Cipher Suite Name (IANA/RFC)</tt><tt><br>
</tt><tt>-----------------------------------------------------------------------------------------------------------------------------</tt><tt><br>
</tt><tt>[redacted to reduce size]</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> Running client simulations via sockets </tt><tt><br>
</tt><tt><br>
</tt><tt> Android 8.1 (native) TLSv1.2
ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> Android 9.0 (native) TLSv1.3
TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> Java 6u45 TLSv1.0 AES128-SHA, No FS</tt><tt><br>
</tt><tt> Java 7u25 TLSv1.0
ECDHE-RSA-AES128-SHA, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> Java 8u161 TLSv1.2
ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> Java 11.0.2 (OpenJDK) TLSv1.3
TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> Java 12.0.1 (OpenJDK) TLSv1.3
TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> OpenSSL 1.0.1l TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> OpenSSL 1.0.2e TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> OpenSSL 1.1.0j (Debian) TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> OpenSSL 1.1.1b (Debian) TLSv1.3
TLS_AES_256_GCM_SHA384, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt> Thunderbird (60.6) TLSv1.3
TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
</tt><tt><br>
</tt><tt> Done 2019-10-11 07:31:08 [ 170s] -->>
3.222.54.62:993 (kumo.kites.org) <<--</tt><br>
<br>
<br>
</p>
<div class="moz-cite-prefix">On 10/11/19 7:22 AM, C. James Ervin via
dovecot wrote:<br>
</div>
<blockquote type="cite"
cite="mid:651602d4-6b2c-403a-9a9d-d748f9d67576@kites.org">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>In setting up my new mail server, I am getting the following in
the logs:</p>
<p>Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected
(no auth attempts in 0 secs): user=<>, rip=24.53.79.10,
lip=172.26.12.90, <b>TLS handshaking: SSL_accept() syscall
failed: Success</b>, session=<B9OokqCUD+UYNU8K><br>
</p>
<br>
</blockquote>
</body>
</html>