Re: [Imap-uw] Howto disable SSLv3 and only use TLS

Wed, 15 Oct 2014 12:39:06 -0700

It is possible to do this. Edit the imap source code and recompile. Especially if you can't upgrade your openssl. Edit the file src/osdep/unix/ssl_unix.c and change this define: 

#define SSLCIPHERLIST "ALL:!SSLv2:!SSLv3:!ADH:!EXP:!LOW:!NULL:!DES"
You'll notice I've also disabled NULL and DES too as they are weak crypto. If you want to support TLSv1.1 and TLSv1.2 then you'll need to make some additional edits because as it stands now it only supports TLSv1.0. I posted the patch awhile back. Here it is again. 


--- ssl_unix.c.orig     2014-08-15 15:51:08.000000000 -0700
+++ ssl_unix.c.new      2014-08-15 15:51:45.000000000 -0700
@@ -53,7 +53,7 @@
  * ports (e.g., 993 for IMAP, 995 for POP3) and using TLS exclusively.
  */

-#define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW"
+#define SSLCIPHERLIST "ALL:!ADH:!EXPORT:!SSLv2:!NULL:!DES:!RC4:+HIGH:+MEDIUM:@STRENGTH" 

 /* SSL I/O stream */

@@ -234,7 +234,7 @@
   if (ssl_last_error) fs_give ((void **) &ssl_last_error);
   ssl_last_host = host;
   if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
-                                      TLSv1_client_method () :
+                                      SSLv23_client_method () :
                                       SSLv23_client_method ())))
     return "SSL context failed";
   SSL_CTX_set_options (stream->context,0);
@@ -717,7 +717,7 @@
   }
                                /* create context */
   if (!(stream->context = SSL_CTX_new (start_tls ?
-                                      TLSv1_server_method () :
+                                      SSLv23_server_method () :
                                       SSLv23_server_method ())))
     syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
tcp_clienthost ())
You'll need to include in the !SSLv3 flag to the define as I created this patch before all of this. 

David

On 10/15/2014 11:52 AM, Charles Swiger wrote:

Hi--

On Oct 15, 2014, at 11:44 AM, Jimmy Dorff <[email protected]> wrote:

Is this possible to disable SSLv3 and only accept imaps using TLS?

Yes.  Update to OpenSSL 0.9.8zc (or OpenSSL 1.0.1j) that has been built with 
no-ssl3 option.

Regards,


--
David Severance
Enterprise Unix Services
Office of Information Technology
(949) 824-7552
[email protected]

_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw

Reply via email to