Hello, I am trying to better understand how best to configure the TLS_PROTOCOL and TLS_CIPHER_LIST variables on a Ubuntu 14.04 server using the distro-provided packages (compiled against OpenSSL and appear to be of a relatively old vintage).
Running nmap against the default configuration I see that both SSLv3 and TLS 1.0, 1.1, and 1.2 are supported: $ nmap --script ssl-enum-ciphers -p 993 mail.witherden.org Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-09 18:21 GMT Nmap scan report for mail.witherden.org (85.159.209.87) Host is up (0.010s latency). PORT STATE SERVICE 993/tcp open imaps | ssl-enum-ciphers: | SSLv3: | ciphers: | [...] | compressors: | NULL | cipher preference: client | warnings: | CBC-mode cipher in SSLv3 (CVE-2014-3566) | Weak certificate signature: SHA1 | TLSv1.0: | ciphers: | [...] | compressors: | NULL | cipher preference: client | warnings: | Weak certificate signature: SHA1 | TLSv1.1: | ciphers: | [...] | compressors: | NULL | cipher preference: client | warnings: | Weak certificate signature: SHA1 | TLSv1.2: | ciphers: | [...] | compressors: | NULL | cipher preference: client | warnings: | Weak certificate signature: SHA1 |_ least strength: C Ideally, I would like to remove support for the SSLv3 protocol. A previous message on the list suggests setting: TLS_PROTOCOL=TLS1 however, when I do this and rerun nmap: freddie@fluorine ~ $ nmap --script ssl-enum-ciphers -p 993 mail.witherden.org Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-09 18:16 GMT Nmap scan report for mail.witherden.org (85.159.209.87) Host is up (0.010s latency). PORT STATE SERVICE 993/tcp open imaps | ssl-enum-ciphers: | TLSv1.0: | ciphers: | [...] | compressors: | NULL | cipher preference: client | warnings: | Weak certificate signature: SHA1 |_ least strength: C It seems to have disabled support for all protocols other than TLS1. Going through the documentation in the configuration file I am not sure, how, for OpenSSL to enable TLS 1.0, 1.1, and 1.2. The only option I can see documented is TLS1 (whereas for GnuTLS a TLS1_1 value is also accepted). What is the correct procedure to disable SSLv3? Regards, Freddie.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users