Re: [Courier-imap] courier-imap-ssl with TLS1, TLS1_1 and TLS1_2

Thu, 16 Oct 2014 14:16:40 -0700 

Am 16.10.2014 um 00:33 schrieb Sam Varshavchik:

Oliver Mihatsch writes:


Hi,

I would like to reconfigure my courier-imap to use only TLS for secure
connections.

Currently I'm defining the following constant in the imapd-ssl
configuration file:

TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"


TLS1 is working fine but when I'm trying to connect using TLS1.1 or
TLS1.2, the server rejects it:

openssl s_client -connect myServer:993 -tls1_2
"Secure Renegotiation IS NOT supported"

When I unset the TLS_PROTOCOL variable, SSLv3, TLS1.0, TLS1.1 and TLS1.2
are working.
Any ideas how I can fix this? Perhaps the constants TLS1_2 and TLS1_1
are not recognized?
It's an OpenSSL configuration quirk. In order for protocol negotiation to take place, SSLv3 must be included.
The trick is to enable SSLv3 but to disable all SSLv3 ciphers via TLS_CIPHER_LIST. 

The default setting is
TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" 

So, just remove SSLv3.


Thanks a lot for the tips. But now things get weird.
Commented TLS_PROTOCOL and defined TLS_CIPHER_LIST as you recommend.

Behaviour when using the following variable (removed SSLv3):
TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
SSLv3 working, TLS 1.0 working, TLS 1.1 working, TLS 1.2 working (no changes to before) 


Behaviour when using the following variable (added !):
TLS_CIPHER_LIST="*!SSLv3*:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
SSLv3 not working, TLS 1.0 not working, TLS 1.1 not working, TLS 1.2 *working**?!* 


Behaviour when using the following variable (added !, added TLSv1_1):
TLS_CIPHER_LIST="*!**SSLv3*:TLSv1*:TLSv1_1*:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
SSLv3 working, TLS 1.0 working, TLS 1.1 working, TLS 1.2 working (no changes to before)
So results were not really what I was expecting. SSLv3 and TLS1/1.1 are somehow just an alias for each other. 


------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

Reply via email to