Hi Sam!
I can access SSLv3/TLSv1 ciphers (like the one you can AES256-SHA) as well
but what would be the result if you were to try:
openssl s_client -connect <...> -cipher DES-CBC-MD5
With the TLS_CIPHER_LIST variable as it is, it should also allow SSLv2
ciphers, like the one mentioned above.
I ultimately want to disable stronger ciphers and only have the server
support weaker ones (I need to do this to be able to collect attack data).
I don't understand what I could be doing wrong and would appreciate any
help.
Thanks,
Shehab.
On 26 February 2010 00:39, Sam Varshavchik <[email protected]> wrote:
> Shehab Kazi writes:
>
> > « HTML content follows »
> > Hi!
> > I've been trying to configure the server to accept SSLv2 connections as
> > well but I've been failing so far. I've read
> > <URL:http://www.openssl.org/docs/apps/ciphers.html>
> http://www.openssl.org/d
> > ocs/apps/ciphers.html and modified TLS_CIPHER_LIST accordingly however
> > none of the changes seem to take effect. I've tried disabling SSLv3 and
> > TLSv1 but that doesn't make a difference.
> > I test these using openssl's s_client.
> >
> > /var/log/syslog says imapd-ssl: couriertls: connect: error:1408A0B6:SSL
> > routines:SSL3_GET_CLIENT_HELLO:no ciphers passed
> >
> > The imapd-ssl at the moment stands:
> > TLS_CIPHER_LIST="ALL:!ADH:@STRENGTH"
>
> Works for me.
>
> Script started on Thu 25 Feb 2010 06:36:05 PM EST
> # /sbin/fuser -n tcp 993
> 993/tcp: 17114
> # ls -al /proc/17114/exe
> lrwxrwxrwx. 1 root root 0 2010-02-25 18:36 /proc/17114/exe ->
> /usr/lib/courier-imap/libexec/couriertcpd
> # tr '\0' '\012' </proc/17114/environ | grep TLS
> TLS_TRUSTCERTS=/etc/pki/tls/cert.pem
> TLS_CIPHER_LIST=ALL:!ADH:@STRENGTH
> TLS_COMPRESSION=ALL
> IMAP_TLS_REQUIRED=0
> TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem
> TLS_CERTS=X509
> IMAP_CAPABILITY_TLS=IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN
> TLS_VERIFYPEER=NONE
> TLS_CACHESIZE=524288
> IMAP_CAPABILITY_TLS_ORIG=IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5
> AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE AUTH=PLAIN
> TLS_CACHEFILE=/var/run/couriersslcache
> COURIERTLS=/usr/lib/courier-imap/bin/couriertls
> TLS_KX_LIST=ALL
> IMAPDSTARTTLS=YES
> IMAP_TLS=1
> # openssl s_client -connect localhost:993
> CONNECTED(00000003)
> depth=0 C = US, O = Courier Mail Server, OU = Automatically-generated IMAP
> SSL key, L = New York, ST = NY, CN = localhost
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, O = Courier Mail Server, OU = Automatically-generated IMAP
> SSL key, L = New York, ST = NY, CN = localhost
> verify error:num=10:certificate has expired
> notAfter=Jan 3 00:55:15 2010 GMT
> verify return:1
> depth=0 C = US, O = Courier Mail Server, OU = Automatically-generated IMAP
> SSL key, L = New York, ST = NY, CN = localhost
> notAfter=Jan 3 00:55:15 2010 GMT
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL
> key/L=New York/ST=NY/CN=localhost
> i:/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL
> key/L=New York/ST=NY/CN=localhost
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIID5DCCAs6gAwIBAgIBATALBgkqhkiG9w0BAQUwgY4xCzAJBgNVBAYTAlVTMRww
> GgYDVQQKExNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNh
> bGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxETAPBgNVBAcTCE5ldyBZb3JrMQsw
> CQYDVQQIEwJOWTESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTA5MDEwMzAwNTUxNVoX
> DTEwMDEwMzAwNTUxNVowgY4xCzAJBgNVBAYTAlVTMRwwGgYDVQQKExNDb3VyaWVy
> IE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJ
> TUFQIFNTTCBrZXkxETAPBgNVBAcTCE5ldyBZb3JrMQswCQYDVQQIEwJOWTESMBAG
> A1UEAxMJbG9jYWxob3N0MIIBHzALBgkqhkiG9w0BAQEDggEOADCCAQkCggEAzDKi
> Qb0udtQuwZXZr0JgbtbaDrg704VyR16NkpLPROY3FKHrba0pXNr8tOlH9ZpIwYDB
> 9yNofAF4hvb8oSViwCWmYNhYrVYnIXcqqlr+YpEVZ3Aoq5gNeQFixoHG7QkMzdO6
> UaILiyRgA2/QQiI2mUr1Zm5XBohjsET0zEYLV/1vYlzweO7V1C7aK5TjGow0YUI5
> g4HIUW1fOF1emh91+tdbtfrh/oXIP6C9VKbMDJRO+aV2o/O41e7xr7/nPIzTtReF
> X7tT0x1Xq5uA6MSI0i+rXh4TvGfuMImueDPr5jwu4FWMcK2jEfz3r/cpZLLPK+hR
> LnYgTMrRuq4rcFCj2QIDAQABo1IwUDAMBgNVHRMBAf8EAjAAMCEGA1UdEQQaMBiB
> FnBvc3RtYXN0ZXJAZXhhbXBsZS5jb20wHQYDVR0OBBYEFO1RiB1vwx0pNju8Di77
> dQrcB4LoMAsGCSqGSIb3DQEBBQOCAQEADgiiyITe8lbHZevWI+xo5NZygmoD4eqr
> Unkf2YtglWJCSAFnwxb/m5adTuBtdbsNS0MRGCWtgKk5aHhskiRjgF5LRT+RcoEk
> nW91O0CYD+fArg/RMburw48U/LNaJq9qQOEvEVwlddnMBDwZJA4OAlYzfhoq5dV5
> Kk/mY/ZLLXXDTNUvII1LPP7Qcd//dDDNjpfVO83GU2gBi40AsuGr5Vu71O8UskgD
> FzOyyh6TJ5/wvKjUmNYwg4vA5NVlVPFBICHGEweEVC867eOEdI6wv6LnPjptEmqZ
> kJDkbOaIL/CkDxUp+l3SgKa+plOWUrYU225LvpWWuOE4QdmubTXIXQ==
> -----END CERTIFICATE-----
> subject=/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL
> key/L=New York/ST=NY/CN=localhost
> issuer=/C=US/O=Courier Mail Server/OU=Automatically-generated IMAP SSL
> key/L=New York/ST=NY/CN=localhost
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1316 bytes and written 442 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> CE91E72DC5DFFBD94B66D641262C8AFDEA68105144E25561B5DD6229CC08FD30
> Session-ID-ctx:
> Master-Key:
> 2DFD697220B744468CCEE523132BBEB8C36DC4C90E78D60756F6EFEFB2E50DD9686F24F83C64EF822DC5D2D52E7F512B
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> TLS session ticket:
> 0000 - c5 b5 4b d8 2e 70 e2 87-42 fb 35 cf ed 30 6f 03
> ..K..p..B.5..0o.
> 0010 - 13 8e 7c 1b 08 6e 56 77-40 8c 76 9b 0c c8 b0 ee ..|..nVw@
> .v.....
> 0020 - f3 df fb 8d a7 45 60 72-21 58 57 33 e7 13 86 8e
> .....E`r!XW3....
> 0030 - cc e0 93 70 48 1c 00 34-98 98 a7 90 d1 74 6b da
> ...pH..4.....tk.
> 0040 - 0e 15 7c 6a ab 27 b3 69-dc 48 56 32 2c a7 92 39
> ..|j.'.i.HV2,..9
> 0050 - eb d7 f3 7d 36 65 62 99-97 b6 f4 1d 50 43 33 3d
> ...}6eb.....PC3=
> 0060 - d8 69 b1 c9 09 29 dd 5e-c5 26 49 02 87 27 f4 94
> .i...).^.&I..'..
> 0070 - 87 e2 c3 fa cf e6 3a a9-b7 91 f6 f1 20 89 d6 5b ......:.....
> ..[
> 0080 - 89 f9 09 47 dd d2 4d 9a-34 9f 97 b4 1e ce 9e f7
> ...G..M.4.......
> 0090 - 1f 4d 1a 46 2b f7 87 6b-4a 6a 13 68 5e c0 3d 80
> .M.F+..kJj.h^.=.
>
> Compression: 1 (zlib compression)
> Start Time: 1267141010
> Timeout : 300 (sec)
> Verify return code: 10 (certificate has expired)
> ---
> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP
> ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for
> distribution information.
> ^C
> # exit
>
> Script done on Thu 25 Feb 2010 06:36:51 PM EST
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> courier-users mailing list
> [email protected]
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
