On 09/03/2015 14:13, Waldin wrote:
Am 08.03.2015 um 09:14 schrieb Waldin:
Now, I also want to check ciphers enabled in (mobile) mail clients.
I've tried to make OpenSSL listen on port 110 (for POP with TLS) and
redirected the client to the OpenSSL server. But when trying to pull
mail I can't see any handshake information:
FTR, I've now managed to check my mobile mail client. The hint was the
argument to the s_client command's -starttls option, which made me
realize that for handshaking with starttls a minimum understanding of
the protocol is needed. OpenSSL probably doesn't include a POP or IMAP
server. But it works without starttls, when listening on port 993:
openssl s_server -cert public.pem -key ca-key.pem -accept 993
Enter pass phrase for ca-key.pem:
Loading 'screen' into random state - done
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMBBAIAOQQABDAM5TDoa/9vlS6pUsqtlPWpgpMc1L7bvwCS5UGiIhut
13A4uf0Zm8T2/q3ULkxnkPKhBgIEVP2ataIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3
-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES
128-SHA:IDEA-CBC-SHA:RC4-SHA
CIPHER is DHE-RSA-AES256-SHA
Secure Renegotiation IS NOT supported
~A1 LOGIN "MYLOGIN" "MYPASSWORD"
ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
Hurray! But wait, a plain text password? And no server certificate
pinning? Oh, no!
Yep, that is essentially what the e-mail protocols allowin
most real world scenarios. Note however that the password
is SSL/TLS encrypted, which is why some mail clients and
servers are quite insistant on having that enabled. For
example, the usual configuration of the e-mail servers
recommended by the Debian distribution (exim SMTP and courier
POP3/IMAP), the default configuration is for the server to
not even ask for a password until SSL/TLS is active, the only
thing a client can do in plaintext is to ask for STARTTLS, or
deliver remote mail (which obviously doesn't require a password).
But at least the client should refuse if the certificate does
not match the DNS name or IP address it was trying to contact
(not to be confused with whatever name the server returns in
protocol messages such as the SMTP banner).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
