It is possible to do this. Edit the imap source code and recompile.
Especially if you can't upgrade your openssl. Edit the file
src/osdep/unix/ssl_unix.c and change this define:
#define SSLCIPHERLIST "ALL:!SSLv2:!SSLv3:!ADH:!EXP:!LOW:!NULL:!DES"
You'll notice I've also disabled NULL and DES too as they are weak
crypto. If you want to support TLSv1.1 and TLSv1.2 then you'll need to
make some additional edits because as it stands now it only supports
TLSv1.0. I posted the patch awhile back. Here it is again.
--- ssl_unix.c.orig 2014-08-15 15:51:08.000000000 -0700
+++ ssl_unix.c.new 2014-08-15 15:51:45.000000000 -0700
@@ -53,7 +53,7 @@
* ports (e.g., 993 for IMAP, 995 for POP3) and using TLS exclusively.
*/
-#define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW"
+#define SSLCIPHERLIST
"ALL:!ADH:!EXPORT:!SSLv2:!NULL:!DES:!RC4:+HIGH:+MEDIUM:@STRENGTH"
/* SSL I/O stream */
@@ -234,7 +234,7 @@
if (ssl_last_error) fs_give ((void **) &ssl_last_error);
ssl_last_host = host;
if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
- TLSv1_client_method () :
+ SSLv23_client_method () :
SSLv23_client_method ())))
return "SSL context failed";
SSL_CTX_set_options (stream->context,0);
@@ -717,7 +717,7 @@
}
/* create context */
if (!(stream->context = SSL_CTX_new (start_tls ?
- TLSv1_server_method () :
+ SSLv23_server_method () :
SSLv23_server_method ())))
syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
tcp_clienthost ())
You'll need to include in the !SSLv3 flag to the define as I created
this patch before all of this.
David
On 10/15/2014 11:52 AM, Charles Swiger wrote:
Hi--
On Oct 15, 2014, at 11:44 AM, Jimmy Dorff <[email protected]> wrote:
Is this possible to disable SSLv3 and only accept imaps using TLS?
Yes. Update to OpenSSL 0.9.8zc (or OpenSSL 1.0.1j) that has been built with
no-ssl3 option.
Regards,
--
David Severance
Enterprise Unix Services
Office of Information Technology
(949) 824-7552
[email protected]
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw