Re: [Dovecot] compressed IMAP traffic

Tue, 29 Sep 2009 03:34:14 -0700
well ..... here for me, with 'openssl s_client', i cant even connect when using -ssl2: 

[r...@correio ~]# openssl s_client -connect localhost:993 -ssl2
[ ... ]

27110:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher 
list:s2_clnt.c:450:

[r...@correio ~]#

   but that's probably because i have on dovecot.conf:

ssl_cipher_list = ALL:!LOW:!SSLv2



   with ssl3 and tls1 i can connect and see the zlib compression being 
enabled.


SSL-Session:
   Protocol  : SSLv3
   Cipher    : DHE-RSA-AES256-SHA
[ ..... ]
  Compression: 1 (zlib compression)

SSL-Session:
   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
[ ..... ]
  Compression: 1 (zlib compression)



   Thunderbird has the options to enable/disable each cipher of 
ssl2/ssl3/tls1 as well as disable them completly too. Here in my 
Thunderbird 2.0.0.23, SSLv2 is disabled, and this is certainly the 
default configs, as i never tweaked this.


http://img43.imageshack.us/img43/7937/thunderbirdssl2.jpg



   logging from dovecot shows clearly that i'm using TLSv1 to connect 
...  it also shows that TLSv1 connections from thunderbird do not use 
compression, and connections from gnutls-cli correctly enables that



thunderbird 2.0.0.23

Sep 29 07:12:02 correio dovecot: imap-login: Login: 
user=<[email protected]>, method=PLAIN, rip=189.114.xx.xx, 
lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)



gnutls-cli

Sep 28 18:36:54 correio dovecot: imap-login: Login: 
user=<[email protected]>, method=PLAIN, rip=189.11.xx.xx, 
lip=200.140.xx.xx, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
bits) zlib compression




   wireshack confirms i'm using TLSv1 and also shows Thunderbird is 
announcing no compression is supported.



http://img33.imageshack.us/img33/9011/wiresharktlsv1.jpg



   so ..... despite the known fact that SSLv2 cant be used if 
compression is wanted, using SSLv3 and TLSv1 apparently does not 
automatically guarantees that .....



Patrick Domack escreveu:

More testing, seems all my imap clients attempt to use ssl2 first, and 
from the openssl mailing list:



  Oops, should've made this clearer. It is only clients than need to 
avoid the
  old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs 
to be

  done to a server.
  http://www.mail-archive.com/[email protected]/msg49926.html


This is confirmed using openssl s_client -connect host:993 
(-ssl3|-tls1|-ssl2)



I don't see any way around this globally, unless each program has a 
config option to disable ssl2.



--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        [email protected]
        My SPAMTRAP, do not email it






























					Reply via email to