Re: cyradm and TLS 1.2
Thanks! You have the more correct fix: From: https://www.openssl.org/docs/man1.1.0/man3/TLSv1_client_method.html "TLS_method(), TLS_server_method(), TLS_client_method() These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Applications should use these methods, and avoid the version-specific methods described below." Thanks, John On 10/15/2019 6:04 PM, ellie timoney wrote: ** CAUTION: EXTERNAL MAIL ** Thanks for reporting back. For whatever its worth, the equivalent fix on 2.5+ uses "TLS_client_method()", not "TLSv1_2_client_method()". I'm not sure what difference it makes, but maybe it requires a newer OpenSSL than you have? Here's the commit to master, fyi: https://github.com/cyrusimap/cyrus-imapd/commit/78f79ea53238c8596e2f8602b7b1e29a16863ae9 On Tue, Oct 15, 2019, at 7:43 AM, John Widera wrote: Turns out imclient (at least in the latest RHEL7 pkg) is hardcoded to use TLSv1. Since we're building binary RPMs from Source RPMs anyway we modified imclient.c, rebuilt the RPMs, reinstalled the cyrus-imapd-utils package: Here's the patch we used: ** *--- imclient.c.orig 2012-12-01 13:57:54.0 -0600* *+++ imclient.c 2019-10-03 14:40:11.254566297 -0500* *@@ -1695,7 +1695,7 @@* *return -1;* *}* *- imclient->tls_ctx = SSL_CTX_new(TLSv1_client_method());* *+ imclient->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());* *if (imclient->tls_ctx == NULL) {* *return -1;* *};* --- Maybe this helps someone else. Regards, Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm and TLS 1.2
Thanks for reporting back. For whatever its worth, the equivalent fix on 2.5+ uses "TLS_client_method()", not "TLSv1_2_client_method()". I'm not sure what difference it makes, but maybe it requires a newer OpenSSL than you have? Here's the commit to master, fyi: https://github.com/cyrusimap/cyrus-imapd/commit/78f79ea53238c8596e2f8602b7b1e29a16863ae9 On Tue, Oct 15, 2019, at 7:43 AM, John Widera wrote: > Turns out imclient (at least in the latest RHEL7 pkg) is hardcoded to use > TLSv1. Since we're building binary RPMs from Source RPMs anyway we modified > imclient.c, rebuilt the RPMs, reinstalled the cyrus-imapd-utils package: > Here's the patch we used: > ** > *--- imclient.c.orig 2012-12-01 13:57:54.0 -0600* > *+++ imclient.c 2019-10-03 14:40:11.254566297 -0500* > *@@ -1695,7 +1695,7 @@* > *return -1;* > *}* > *- imclient->tls_ctx = SSL_CTX_new(TLSv1_client_method());* > *+ imclient->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());* > *if (imclient->tls_ctx == NULL) {* > *return -1;* > *};* > --- > Maybe this helps someone else. > Regards, Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm and TLS 1.2
Turns out imclient (at least in the latest RHEL7 pkg) is hardcoded to use TLSv1. Since we're building binary RPMs from Source RPMs anyway we modified imclient.c, rebuilt the RPMs, reinstalled the cyrus-imapd-utils package: Here's the patch we used: --- IMCLIENT.C.ORIG 2012-12-01 13:57:54.0 -0600 +++ IMCLIENT.C 2019-10-03 14:40:11.254566297 -0500 @@ -1695,7 +1695,7 @@ RETURN -1; } - IMCLIENT->TLS_CTX = SSL_CTX_NEW(TLSV1_CLIENT_METHOD()); + IMCLIENT->TLS_CTX = SSL_CTX_NEW(TLSV1_2_CLIENT_METHOD()); IF (IMCLIENT->TLS_CTX == NULL) { RETURN -1; }; --- Maybe this helps someone else. Regards, > Hi All, > > We're hoping to find some help on the list... > > We are running Cyrus-IMAP on RHEL7, using an RPM pkg > (CYRUS-IMAPD-2.4.17-13.EL7) built from the Red Hat SRC RPM. We also have > SASL, Utils, devel etc pkgs all from RH. > > Now we're looking to finally move Cyrus completely off insecure TLS versions. > But now there is a lingering issue... > > We removed tls1_0 from impad.conf, and the CYRADM shell stopped working. We > can no longer connect at all: > > CYRADM -U CYRUS > [ SSL_CONNECT ERROR -1 ] > [ SSL SESSION REMOVED ] > [ TLS NEGOTIATION DID NOT SUCCEED ] > CYRADM: CANNOT AUTHENTICATE TO SERVER WITH AS CYRUS > > CYRADM -U CYRUS --NOTLS > [ SSL_CONNECT ERROR -1 ] > [ SSL SESSION REMOVED ] > [ TLS NEGOTIATION DID NOT SUCCEED ] > CYRADM: CANNOT AUTHENTICATE TO SERVER WITH AS CYRUS > > The presumption is (as cyradm is just a wrapper script) any PERL scripts > calling Cyrus::IMAP::Admin over a STARTTLS connection could likewise be > broken (?) if we block TLS 1.0. > > cyradm is using TLSv1 per maillog: > > IMAPS[14096]: STARTTLS: TLSV1 WITH CIPHER > > Our MAN page for cyradm shows a "--notls" option, which does not work/changes > nothing. Oddly, the cyradm HELP FLAG does NOT show this option, yet cyradm > doesn't bark when it's passed: > > USAGE: CYRADM [ARGS] SERVER > --USER CONNECT AS (AUTHENTICATION NAME) > --AUTHZ AUTHORIZE AS > --[NO]RC (DO NOT) LOAD THE CONFIGURATION FILES > --SYSTEMRC USE SYSTEM-WIDE CONFIGURATION > --USERRC USE USER CONFIGURATION > --PORT CONNECT TO SERVER ON > --AUTH AUTHENTICATE WITH > > A web search reveals the MAN page for cyradm in Cyrus v.3, and it shows NOTLS > as an option to AUTHENTICATE, after a server connection is made, so its > unclear to me what's going on... > > Does anyone have cyradm working with TLS1.2? > > Regards & THANKS in advance for any assistance or suggestions offered. > > -- > John > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus