Re: [qmailtoaster] Re: Disable SSLv3, POODLE: SSLv3 vulnerability

Wed, 22 Oct 2014 10:02:37 -0700 

For me , that command works.
I also modified IMAPDSSLSTART=NO and IMAP_TLS_REQUIRED=1

On 22/10/14 18:21, Quinn Comendant wrote:

On Fri, 17 Oct 2014 10:52:12 +0300, Catalin Leanca wrote:

I managed to disable SSLv3 in /etc/courier/imapd-ssl and
/etc/courier/pop3-ssl
Changed TLS_PROTOCOL=SSLv3 to TLS_PROTOCOL=TLS1

Catalin (and others): have you succeeded in disabling SSLv3 in courier? When I 
try this configuration, I am unable to connect even with a TLS-compatible 
client, not even the openssl itself:

        openssl s_client -state -nbio -connect mail.example.com:993

I get this output:

     CONNECTED(00000003)
     turning on non blocking io
     SSL_connect:before/connect initialization
     SSL_connect:SSLv2/v3 write client hello A
     SSL_connect:error in SSLv2/v3 read server hello A
     write R BLOCK
     SSL_connect:error in SSLv2/v3 read server hello A
     read:errno=54

According to the openssl documentation, this error usually results from the 
connection not being able to auto-negotiate a suitable ssl version to use. So, 
I force a TLS connection using -tls1:

        openssl s_client -state -nbio -connect oak2.strangecode.com:993 -tls1

And then I get a successful connection with the openssl client. The problem is 
the real IMAP client I use (Gyazmail) doesn't connect (thought it does support 
TLS). Perhaps it is trying SSLv3 first, and fails to negotiate to TLS?

I read also some Courier versions have this problem, some not [1]. I'd 
appreciate if you could run the above openssl command (without -tls1) and let 
me know if it connects for you or not.

BTW, if you want to test that your server refuses SSLv3 connections, run the 
openssl client with '-ssl3'.

Quinn

[1] http://sourceforge.net/p/courier/mailman/message/17185523/

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




--
CS Catalin LEANCA
ICI ROTLD - Serviciul Tehnic
Bd. Maresal Averescu 8-10,
Sector 1, Bucuresti


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to