Hello,

I am trying to better understand how best to configure the TLS_PROTOCOL
and TLS_CIPHER_LIST variables on a Ubuntu 14.04 server using the
distro-provided packages (compiled against OpenSSL and appear to be of a
relatively old vintage).

Running nmap against the default configuration I see that both SSLv3 and
TLS 1.0, 1.1, and 1.2 are supported:

$ nmap --script ssl-enum-ciphers -p 993 mail.witherden.org
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-09 18:21 GMT
Nmap scan report for mail.witherden.org (85.159.209.87)
Host is up (0.010s latency).
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       [...]
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Weak certificate signature: SHA1
|   TLSv1.0:
|     ciphers:
|       [...]
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Weak certificate signature: SHA1
|   TLSv1.1:
|     ciphers:
|       [...]
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Weak certificate signature: SHA1
|   TLSv1.2:
|     ciphers:
|       [...]
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Weak certificate signature: SHA1
|_  least strength: C

Ideally, I would like to remove support for the SSLv3 protocol.  A
previous message on the list suggests setting:

TLS_PROTOCOL=TLS1

however, when I do this and rerun nmap:
freddie@fluorine ~ $ nmap --script ssl-enum-ciphers -p 993
mail.witherden.org

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-09 18:16 GMT
Nmap scan report for mail.witherden.org (85.159.209.87)
Host is up (0.010s latency).
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       [...]
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Weak certificate signature: SHA1
|_  least strength: C

It seems to have disabled support for all protocols other than TLS1.
Going through the documentation in the configuration file I am not sure,
how, for OpenSSL to enable TLS 1.0, 1.1, and 1.2.  The only option I can
see documented is TLS1 (whereas for GnuTLS a TLS1_1 value is also accepted).

What is the correct procedure to disable SSLv3?

Regards, Freddie.

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to