Also remember that SSLv3 refers to two different things:
1. The SSLv3 protocol
2. The SSLv3 ciphers (known as the ciphersuite).
In the s_client output below, it uses the SSLv3 protocol to negotiate NO
cipher (i.e. the "Cipher is (NONE)" part). It establishes a plaintext
session using the SSLv3 protocol.
Excluding SSLv3 ciphers does not exclude the SSLv3 protocol. You must
explicitly exclude both (i.e. the SSLv3 protocol is vulnerable, as are
some of its ciphers).
You can separately specify protocols and ciphers in the Dovecot config
file, but I don't remember any way to do it for qmail.
There is a roundabout way, but it has consequences. SSLv3, TLSv1,
TLSv1_1 protocols all used the same ciphers (i.e. the SSLv3 ciphers).
The only way to use the cipher string to forbid the SSLv3 protocol is to
allow ONLY the TLSv1_2 ciphers. That works because TLSv1_2 protocol
introduced new ciphers which are not supported in the older protocols,
so specifying only TLSv1_2 ciphers forces the TLSv1_2 protocol. However,
requiring TLSv1_2 protocol has the unintended problem that many older
OS's (such as CENTOS-5) cannot connect to it because they do not support
TLSv1_2.
This is not a problem in newer OS's because SSLv3 protocol has been
removed from newer versions of OpenSSL, so you can pick a ciphersuite
with the strongest of the old ciphers and it will use the TLSv1 and/or
TLSv1_1 protocols, which are supported by most older OS's.
If you are savvy/brave enough (I am not), you can recompile OpenSSL with
SSLv3 protocol disabled. That is really the effect you want, and may be
the only way to get it for incoming connections to qmail.
This has been a very long-winded way to say that I don't think you can
easily accomplish that which you wish.
FYI: this is the issue which prompted me to upgrade from Centos5 to Centos7.
-Andy
PS: It would be nice to have a qmail patch which allows specifying the
protocols in a file called /control/tlsserverprotocols.
On 4/22/2020 2:53 PM, Eric Broch wrote:
Doesn't '!SSLv3' in your ciphers mean NO SSLv3 is accepted? So, your
command should be
openssl s_client -connect mx.domain.ltd:25 -starttls smtp -no_ssl3
not the following command which forces ssl3...
openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3
Correct?
On 4/22/2020 9:57 AM, natan maciej milaszewski wrote:
Hi
I have a debian8 and qmail with tcpserver
I have big problem with disable sslv3 - or I dont understand
i crate /var/qmail/control/tlsserverciphers
and put:
ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM
naw I restart qmail via svc:
svc -d /service/qmail-smtpd
svc -u /service/qmail-smtpd
svc -d /service/qmail
svc -u /service/qmail
and tested via openssl s_client -connect host:25 -starttls smtp -ssl3
and I thinking sslv3 working....
openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 127 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1587570345
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
What i doing wrong ?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
