subject:"is TLS\/SSL selection\/connection ONLY via port 993\?"

Re: is TLS/SSL selection/connection ONLY via port 993?

2004-11-16 Thread OpenMacNews

hi again,
but, why is "imapd -s is for IMAP connections that are externally wrapped
by SSL" --> considered "BAD"?
Because TLS allows one to select which certificate to present, and SSL
doesn't.
aha.
SSLv2 should not be used at all if you can help it
gone.
i presume, then, that SSLvX *starts* encrypted ... hence the port 993. true?
Yes.
it's actually starting to make sense =)
> BTW add this to imapd.conf:
> tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did
some extra reading.
   tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
i _thought_ the !ADH is there by default ... and i see no reason NOT to
explicitly include (ALL) the high/med grade ciphers.
It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the
later is better).  Try openssl ciphers -v, and you'll see.
got it.  cryptic, but with a little staring ... clear.
thx!  it's working perfectly now ... on to the next step.
best,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: is TLS/SSL selection/connection ONLY via port 993?

2004-11-16 Thread Henrique de Moraes Holschuh

On Mon, 15 Nov 2004, OpenMacNews wrote:
> but, why is "imapd -s is for IMAP connections that are externally wrapped 
> by SSL" --> considered "BAD"?

Because TLS allows one to select which certificate to present, and SSL
doesn't.  SSLv3 is pretty much as good as TLSv1 otherwise (but I gather that
TLSv1 has a better method to setup the shared symetrical key).

SSLv2 should not be used at all if you can help it, it has even more
weaknesses, to the point that TLS servers will effectively deny SSLv2
connections to anything they detect to support TLS :).  
SSLv1 is an absolute no.

> i presume, then, that SSLvX *starts* encrypted ... hence the port 993.  
> true?

Yes.

> >BTW add this to imapd.conf:
> >tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did
some extra reading.

>tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> 
> i _thought_ the !ADH is there by default ... and i see no reason NOT to 
> explicitly include (ALL) the high/med grade ciphers.

It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the
later is better).  Try openssl ciphers -v, and you'll see.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: is TLS/SSL selection/connection ONLY via port 993?

2004-11-16 Thread OpenMacNews

hi henrique!
On Mon, 15 Nov 2004, OpenMacNews wrote:
   SERVICES {
#   imap  cmd="imapd" listen="imap" prefork=0
imaps  cmd="imapd -s" listen="imaps" prefork=0
That's not what you want.

aha. nice & clear again.  thx!
but, why is "imapd -s is for IMAP connections that are externally wrapped by 
SSL" --> considered "BAD"?

TLS starts with
plaintext, and goes to encryption early (before any sensitive information is
exchanged, but *after* important stuff that could be useful to select
encryption/authentication keys like the server name is exchanged).
the 'starts with plaintext' explains why the UNencrypted 'imap' port (vs 
'imaps') is used for the TLS connection.

i presume, then, that SSLvX *starts* encrypted ... hence the port 993.  true?
BTW add this to imapd.conf:
tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
That will disable all weak ciphers, and leave you with medium grade and high
grade ciphers.  Try openssl cipher -v ''
to see what you get.  If you can get away with it, remove SSLv2 (add !SSLv2
after ALL:) too.  man ciphers (openssl ciphers) to see how this works.
i actually had:
   tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
i _thought_ the !ADH is there by default ... and i see no reason NOT to 
explicitly include (ALL) the high/med grade ciphers.

ok. fair enuf!
And try to have both sides of the connection authenticated (require client
certificates with a certification path known to the server).
i already have, setting up my own local CA ... i've just removed the step from 
the equation for now while i step-by-step the testing/configuration ...

cheers,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: is TLS/SSL selection/connection ONLY via port 993?

2004-11-15 Thread Henrique de Moraes Holschuh

On Mon, 15 Nov 2004, OpenMacNews wrote:
>SERVICES {
> # imap  cmd="imapd" listen="imap" prefork=0
>   imaps  cmd="imapd -s" listen="imaps" prefork=0

That's not what you want.  Enable both services, and configure
sasl_minimum_layer to 128 (or is that 64? I forgot. See the SASL docs for
the correct value).

imapd -s is for IMAP connections that are externally wrapped by SSL (bad).
imapd is for non-encrypted IMAP connections, and IMAP connections that use
TLS (good).  sasl_minimum_layer tells Cyrus what you require of the
connection.

> however, if i instead login to with server == 
> mail2.internal.testdomain.com:993 and security == STARTTLS-TLSv1, no 
> connection occurs, and the attempt times out after the tls_session_timeout 
> (60 seconds).

Because you effectively connected without SSL to a SSL port. TLS starts with
plaintext, and goes to encryption early (before any sensitive information is
exchanged, but *after* important stuff that could be useful to select
encryption/authentication keys like the server name is exchanged).

BTW add this to imapd.conf:
tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

That will disable all weak ciphers, and leave you with medium grade and high
grade ciphers.  Try openssl cipher -v ''
to see what you get.  If you can get away with it, remove SSLv2 (add !SSLv2
after ALL:) too.  man ciphers (openssl ciphers) to see how this works.

And try to have both sides of the connection authenticated (require client
certificates with a certification path known to the server).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

is TLS/SSL selection/connection ONLY via port 993?

2004-11-15 Thread OpenMacNews

hi all,
on a MacOSX 10.3.6 sys with:
   cyrus-imap 2.2.8
   cyrus-sasl 2.1.20
i've a canoncial server:
  testserver.internal.testdomain.com
and a virtual domain:
  mail2.internal.testdomain.com
i'm currently auth'ing PLAINTEXT via auxprop+sql (MySQL 4.1.7)
i've setup cyrus.conf to LISTEN *only* on the imaps svc (port 993)
   ...
   SERVICES {
#   imap  cmd="imapd" listen="imap" prefork=0
imaps  cmd="imapd -s" listen="imaps" prefork=0
   ...
and, imapd.conf to include:
   ...
   sasl_mech_list: PLAIN LOGIN
   sasl_password_format: crypt
   sasl_minimum_layer: 0
   sasl_maximum_layer: 1024
   ...
   tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
   tls_require_cert: 0
   tls_session_timeout: 60
   ...
using my imap client (mulberry), i can successfully login to an account, 
'testuser' in the virtual domain, with server == 
mail2.internal.testdomain.com:993 and security == SSLv3.

however, if i instead login to with server == mail2.internal.testdomain.com:993 
and security == STARTTLS-TLSv1, no connection occurs, and the attempt times out 
after the tls_session_timeout (60 seconds).

if i then drop back to listen ONLY on imap service, i.e. cyrus.conf:
   ...
   SERVICES {
imap  cmd="imapd" listen="imap" prefork=0
#   imaps  cmd="imapd -s" listen="imaps" prefork=0
   ...
i can successfully make connections to port server:143 with security == NO 
SECURITY !!or!! security == STARTTLS-TLSv1 !!or!! security == SSLv3.  i.e., TLS 
negotiated sessions are occuring over to port 143 -- the 'wrong' port.

bottom line:
   client to server:143, security = NO SECURITY   --> OK (right)
   client to server:143, security = SSLv3, STARTTLS-TLSv1 --> OK (wrong)
   client to server:993, security = NO SECURITY   --> NO CONNECTION 
(right)
   client to server:993, security = SSLv3 --> OK (right)
   client to server:993, security = STARTTLS-TLSv1--> NO CONNECTION 
(wrong)

#
## QUESTION
   i don't think this is right, is it?  aren't TLS & SSL sessions ONLY 
supposed to connect to port 993, and sessions with no-security ONLY to port 143?

or, have i misunderstood how this is supposed to operate?
threads here:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=19483
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg02411.html
have me suspecting this may be the client ...
thanks,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: is TLS/SSL selection/connection ONLY via port 993?

Re: is TLS/SSL selection/connection ONLY via port 993?

Re: is TLS/SSL selection/connection ONLY via port 993?

Re: is TLS/SSL selection/connection ONLY via port 993?

is TLS/SSL selection/connection ONLY via port 993?

5 matches

Site Navigation

Mail list logo

Footer information