[Bug 1748245] [NEW] dovecot version 2.2.22 does not honor ssl_cipher_list

Thu, 08 Feb 2018 09:35:44 -0800 

Public bug reported:

Tried several configurations on /etc/dovecot/conf.d/10-ssl.conf
regarding the parameter  ssl_cipher_list

example:

ssl_cipher_list = ECDHE-RSA-AES256-SHA:!

should allow only the stated cipher.

result

sslscan --no-failed mail.example.com:995

Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-SEED-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLSv1  112 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  112 bits  DES-CBC3-SHA

I can set whatever line on ssl_cipher_list, it won't change anything

on postfix I can set

smtpd_tls_mandatory_ciphers = high

result:

sslscan --no-failed mail.example.com:465

Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA

or exclude ciphers with

smtpd_tls_mandatory_exclude_ciphers = DHE-RSA-CAMELLIA256-SHA

and that works on port 465.

System is xenial server 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Description:    Ubuntu 16.04.3 LTS
Release:        16.04

apt-cache policy dovecot-core
dovecot-core:
  Installed: 1:2.2.22-1ubuntu2.6
  Candidate: 1:2.2.22-1ubuntu2.6
  Version table:
 *** 1:2.2.22-1ubuntu2.6 500
        500 http://pt.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
        100 /var/lib/dpkg/status
     1:2.2.22-1ubuntu2 500
        500 http://pt.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

aptitude search dovecot |grep 'i '
i A dovecot-core                    - secure POP3/IMAP server - core files      
p   dovecot-gssapi                  - secure POP3/IMAP server - GSSAPI support  
i A dovecot-imapd                   - secure POP3/IMAP server - IMAP daemon     
i A dovecot-managesieved            - secure POP3/IMAP server - ManageSieve serv
i   dovecot-mysql                   - secure POP3/IMAP server - MySQL support   
i A dovecot-pop3d                   - secure POP3/IMAP server - POP3 daemon     
i A dovecot-sieve                   - secure POP3/IMAP server - Sieve filters su


apart from that even if I have
ssl_prefer_server_ciphers = yes
doveconf |grep prefer gives 
ssl_prefer_server_ciphers = no

This prevents making dovecot secure and compliant.

** Affects: dovecot (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748245

Title:
  dovecot version 2.2.22 does not honor  ssl_cipher_list

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1748245/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to