On 11/26/2012 7:08 PM, jan...@lavabit.com wrote: > Hello. > > I configured courier-imap-ssl and decided to test it: > > $ openssl s_client -tls1 -connect mail.example.com:993 > CONNECTED(00000003) > depth=0 /CN=mail.example.com > verify error:num=18:self signed certificate > verify return:1 > depth=0 /CN=mail.example.com > verify return:1 > --- > Certificate chain > 0 s:/CN=mail.example.com > i:/CN=mail.example.com > --- > Server certificate > [snip] > subject=/CN=mail.example.com > issuer=/CN=mail.example.com > --- > No client certificate CA names sent > --- > [snip] > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > [snip] > Compression: 1 (zlib compression) > [snip] > Verify return code: 18 (self signed certificate) > --- > * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE > THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL > ACL2=UNION] Courier-IMAP read. [snip] > > I have several questions: > > 1. What does AUTH=PLAIN mean? Does it mean that my login/password will > be sent in plain text? Is there an explanation of the above output? It means that there it will not be encrypted any more than already done by the SSL/TLS encryption of the whole transmission.Some other IMAP implementations support login methods that do that, such as Kerberos or SRP, but Courier does notdue to the interface to its authentication daemon. > 2. Why does it use AES256-SHA? Is it secure? I'm using an RSA key, but it > isn't listed. Why? Looking at the openssl documentation, "AES256-SHA" in this message is short for "TLS_RSA_WITH_AES_256_CBC_SHA", so it means that the connection is not doing the extra DHE step for perfect forward secrecy.I found this in man ciphers(1ssl), it is also in /usr/include/ssl/tls1.h which is harder to read but has some comments about why the abbreviations are like that. > For example (Postfix is using the same key/cert file): > > $ openssl s_client -starttls smtp -connect mail.example.com:25 > > [snip] > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > > 3. Is it possible to enable DHE-RSA-AES256-SHA in Courier? How? > I don't know the answer to that, sorry.
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
