Dear Sam (and anyone else interested).
Over the past few years there has been widespread
confusion over the meanings of the "cipher list" OpenSSL
option. This mostly stems from the fact that some items
in that option are named after specific protocols (such
as SSLv3).
The reality is the following:
OpenSSL (and many other SSL/TLS libraries) maintain a
strict distinction between the list of *protocols*
enabled (in OpenSSL this is controlled via option bits
such as SSL_OP_NO_SSLv3) and the list of "cipher suites"
enabled for those protocols (in OpenSSL this is what the
"cipher list" controls).
The confusing parts are these:
* The meaning of the protocol disabling config bits
(such as SSL_OP_NO_TLSv1) were significantly changed
in OpenSSL version 1.0.1b, as explained in their
changelog. For example to allow only TLS 1.0 and
above in OpenSSL 1.0.1b and later, you must pass
(SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2) in one call,
otherwise you will get a completely different
result.
* The cipher suite list allows the abbreviation
"SSLv3" (and similar) to mean "all those cipher
suites which can be used when the protocol happens to
be "SSLv3".
* Disabling all the ciphers that can be used with a
specific protocol (e.g. putting "-SSLv3" in the cipher
list), will have the logical side effect of preventing
use of that protocol, but will still have the much
larger effect of disabling all those cipher suites
(many of them good popular cipher suites)even when
running modern protocols such as TLS 1.2.
Thus to disable connections with the TLSv3 protocol (which
handles block ciphers in CBC mode insecurely (POODLE) and
has no secure ciphers of other kinds), programs should
pass the relevant SSL_OP_ bits, not adjust the cipher
list.
Programs that value security above microscopic speedups
should also pass options such as
SSL_OP_SINGLE_ECDH_USE|SSL_OP_SINGLE_DH_USE.
Additionally, programs that *make* SSL/TLS connections
(imap proxy, outgoing SMTP in the case of courier), should
either not implement the "retry with lower SSL/TLS
protocol version if connection fails" logic *or* set
SSL_MODE_SEND_FALLBACK_SCSV on any connection attempts
where it is actually trying with a lower SSL/TLS protocol
than it tried first. This tells the server that this is
happening and allows it to block an attack on the protocol
version selection itself.
Also note that the numeric values of option and mode bits
change between library versions, so get them from the build
time header for the OpenSSL version actually used.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
