Re: [courier-users] IMAP server won't accept TLS_CIPHER_LIST settings in imapd-ssl

Sam Varshavchik Thu, 25 Feb 2010 15:41:00 -0800

Shehab Kazi writes:

> « HTML content follows »
> Hi!
> I've been trying to configure the server to accept SSLv2 connections as 
> well but I've been failing so far. I've read 
> <URL:http://www.openssl.org/docs/apps/ciphers.html>http://www.openssl.org/d 
> ocs/apps/ciphers.html and modified TLS_CIPHER_LIST accordingly however 
> none of the changes seem to take effect. I've tried disabling SSLv3 and 
> TLSv1 but that doesn't make a difference.
> I test these using openssl's s_client.
> 
> /var/log/syslog says imapd-ssl: couriertls: connect: error:1408A0B6:SSL 
> routines:SSL3_GET_CLIENT_HELLO:no ciphers passed
> 
> The imapd-ssl at the moment stands:
> TLS_CIPHER_LIST="ALL:!ADH:@STRENGTH"


Works for me.

Script started on Thu 25 Feb 2010 06:36:05 PM EST
# /sbin/fuser -n tcp 993
993/tcp:             17114
# ls -al /proc/17114/exe
lrwxrwxrwx. 1 root root 0 2010-02-25 18:36 /proc/17114/exe -> 
/usr/lib/courier-imap/libexec/couriertcpd
# tr '\0' '\012' </proc/17114/environ | grep TLS
TLS_TRUSTCERTS=/etc/pki/tls/cert.pem
TLS_CIPHER_LIST=ALL:!ADH:@STRENGTH
TLS_COMPRESSION=ALL
IMAP_TLS_REQUIRED=0
TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem
TLS_CERTS=X509
IMAP_CAPABILITY_TLS=IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN
TLS_VERIFYPEER=NONE
TLS_CACHESIZE=524288
IMAP_CAPABILITY_TLS_ORIG=IMAP4rev1 UIDPLUS CHILDREN NAMESPACE 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 
AUTH=CRAM-SHA256 IDLE AUTH=PLAIN
TLS_CACHEFILE=/var/run/couriersslcache
COURIERTLS=/usr/lib/courier-imap/bin/couriertls
TLS_KX_LIST=ALL
IMAPDSTARTTLS=YES
IMAP_TLS=1
# openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 C = US, O = Courier Mail Server, OU = Automatically-generated IMAP SSL 
key, L = New York, ST = NY, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, O = Courier Mail Server, OU = Automatically-generated IMAP SSL 
key, L = New York, ST = NY, CN = localhost
verify error:num=10:certificate has expired
notAfter=Jan  3 00:55:15 2010 GMT
verify return:1
depth=0 C = US, O = Courier Mail Server, OU = Automatically-generated IMAP SSL 
key, L = New York, ST = NY, CN = localhost
notAfter=Jan  3 00:55:15 2010 GMT
verify return:1
---
Certificate chain
 0 s:/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/L=New 
York/ST=NY/CN=localhost
   i:/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/L=New 
York/ST=NY/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5DCCAs6gAwIBAgIBATALBgkqhkiG9w0BAQUwgY4xCzAJBgNVBAYTAlVTMRww
GgYDVQQKExNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNh
bGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxETAPBgNVBAcTCE5ldyBZb3JrMQsw
CQYDVQQIEwJOWTESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTA5MDEwMzAwNTUxNVoX
DTEwMDEwMzAwNTUxNVowgY4xCzAJBgNVBAYTAlVTMRwwGgYDVQQKExNDb3VyaWVy
IE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJ
TUFQIFNTTCBrZXkxETAPBgNVBAcTCE5ldyBZb3JrMQswCQYDVQQIEwJOWTESMBAG
A1UEAxMJbG9jYWxob3N0MIIBHzALBgkqhkiG9w0BAQEDggEOADCCAQkCggEAzDKi
Qb0udtQuwZXZr0JgbtbaDrg704VyR16NkpLPROY3FKHrba0pXNr8tOlH9ZpIwYDB
9yNofAF4hvb8oSViwCWmYNhYrVYnIXcqqlr+YpEVZ3Aoq5gNeQFixoHG7QkMzdO6
UaILiyRgA2/QQiI2mUr1Zm5XBohjsET0zEYLV/1vYlzweO7V1C7aK5TjGow0YUI5
g4HIUW1fOF1emh91+tdbtfrh/oXIP6C9VKbMDJRO+aV2o/O41e7xr7/nPIzTtReF
X7tT0x1Xq5uA6MSI0i+rXh4TvGfuMImueDPr5jwu4FWMcK2jEfz3r/cpZLLPK+hR
LnYgTMrRuq4rcFCj2QIDAQABo1IwUDAMBgNVHRMBAf8EAjAAMCEGA1UdEQQaMBiB
FnBvc3RtYXN0ZXJAZXhhbXBsZS5jb20wHQYDVR0OBBYEFO1RiB1vwx0pNju8Di77
dQrcB4LoMAsGCSqGSIb3DQEBBQOCAQEADgiiyITe8lbHZevWI+xo5NZygmoD4eqr
Unkf2YtglWJCSAFnwxb/m5adTuBtdbsNS0MRGCWtgKk5aHhskiRjgF5LRT+RcoEk
nW91O0CYD+fArg/RMburw48U/LNaJq9qQOEvEVwlddnMBDwZJA4OAlYzfhoq5dV5
Kk/mY/ZLLXXDTNUvII1LPP7Qcd//dDDNjpfVO83GU2gBi40AsuGr5Vu71O8UskgD
FzOyyh6TJ5/wvKjUmNYwg4vA5NVlVPFBICHGEweEVC867eOEdI6wv6LnPjptEmqZ
kJDkbOaIL/CkDxUp+l3SgKa+plOWUrYU225LvpWWuOE4QdmubTXIXQ==
-----END CERTIFICATE-----
subject=/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL 
key/L=New York/ST=NY/CN=localhost
issuer=/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL 
key/L=New York/ST=NY/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1316 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: CE91E72DC5DFFBD94B66D641262C8AFDEA68105144E25561B5DD6229CC08FD30
    Session-ID-ctx: 
    Master-Key: 
2DFD697220B744468CCEE523132BBEB8C36DC4C90E78D60756F6EFEFB2E50DD9686F24F83C64EF822DC5D2D52E7F512B
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - c5 b5 4b d8 2e 70 e2 87-42 fb 35 cf ed 30 6f 03   ..K..p..B.5..0o.
    0010 - 13 8e 7c 1b 08 6e 56 77-40 8c 76 9b 0c c8 b0 ee   ..|[email protected].....
    0020 - f3 df fb 8d a7 45 60 72-21 58 57 33 e7 13 86 8e   .....E`r!XW3....
    0030 - cc e0 93 70 48 1c 00 34-98 98 a7 90 d1 74 6b da   ...pH..4.....tk.
    0040 - 0e 15 7c 6a ab 27 b3 69-dc 48 56 32 2c a7 92 39   ..|j.'.i.HV2,..9
    0050 - eb d7 f3 7d 36 65 62 99-97 b6 f4 1d 50 43 33 3d   ...}6eb.....PC3=
    0060 - d8 69 b1 c9 09 29 dd 5e-c5 26 49 02 87 27 f4 94   .i...).^.&I..'..
    0070 - 87 e2 c3 fa cf e6 3a a9-b7 91 f6 f1 20 89 d6 5b   ......:..... ..[
    0080 - 89 f9 09 47 dd d2 4d 9a-34 9f 97 b4 1e ce 9e f7   ...G..M.4.......
    0090 - 1f 4d 1a 46 2b f7 87 6b-4a 6a 13 68 5e c0 3d 80   .M.F+..kJj.h^.=.

    Compression: 1 (zlib compression)
    Start Time: 1267141010
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP 
ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution 
information.
^C
# exit

Script done on Thu 25 Feb 2010 06:36:51 PM EST


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] IMAP server won't accept TLS_CIPHER_LIST settings in imapd-ssl

Reply via email to