Also remember that SSLv3 refers to two different things:

1.  The SSLv3 protocol

2.  The SSLv3 ciphers (known as the ciphersuite).

In the s_client output below, it uses the SSLv3 protocol to negotiate NO cipher (i.e. the "Cipher is (NONE)" part). It establishes a plaintext session using the SSLv3 protocol.

Excluding SSLv3 ciphers does not exclude the SSLv3 protocol. You must explicitly exclude both (i.e. the SSLv3 protocol is vulnerable, as are some of its ciphers).

You can separately specify protocols and ciphers in the Dovecot config file, but I don't remember any way to do it for qmail.

There is a roundabout way, but it has consequences. SSLv3, TLSv1, TLSv1_1 protocols all used the same ciphers (i.e. the SSLv3 ciphers). The only way to use the cipher string to forbid the SSLv3 protocol is to allow ONLY the TLSv1_2 ciphers. That works because TLSv1_2 protocol introduced new ciphers which are not supported in the older protocols, so specifying only TLSv1_2 ciphers forces the TLSv1_2 protocol. However, requiring TLSv1_2 protocol has the unintended problem that many older OS's (such as CENTOS-5) cannot connect to it because they do not support TLSv1_2.

This is not a problem in newer OS's because SSLv3 protocol has been removed from newer versions of OpenSSL, so you can pick a ciphersuite with the strongest of the old ciphers and it will use the TLSv1 and/or TLSv1_1 protocols, which are supported by most older OS's.

If you are savvy/brave enough (I am not), you can recompile OpenSSL with SSLv3 protocol disabled. That is really the effect you want, and may be the only way to get it for incoming connections to qmail.

This has been a very long-winded way to say that I don't think you can easily accomplish that which you wish.

FYI: this is the issue which prompted me to upgrade from Centos5 to Centos7.

-Andy


PS: It would be nice to have a qmail patch which allows specifying the protocols in a file called /control/tlsserverprotocols.





On 4/22/2020 2:53 PM, Eric Broch wrote:
Doesn't '!SSLv3' in your ciphers mean NO SSLv3 is accepted? So, your command should be

openssl s_client -connect mx.domain.ltd:25 -starttls smtp -no_ssl3

not the following command which forces ssl3...

openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3

Correct?

On 4/22/2020 9:57 AM, natan maciej milaszewski wrote:
Hi
I have a debian8 and qmail with tcpserver

I have big problem with disable sslv3 - or I dont understand


i crate /var/qmail/control/tlsserverciphers
and put:
ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

naw I restart qmail via svc:

svc -d /service/qmail-smtpd
svc -u /service/qmail-smtpd
svc -d /service/qmail
svc -u /service/qmail


and tested via openssl s_client -connect host:25 -starttls smtp -ssl3
and I thinking sslv3 working....


openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 127 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : SSLv3
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1587570345
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
---

What i doing wrong ?



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to