Re: tls-1.0 and cyrus-imaps-3.0.8
On 11/26/18 12:08 PM, James B. Byrne via Info-cyrus wrote: On Mon, November 26, 2018 10:28, Ken Murchison wrote: I can't reproduce your issue and I don't see where the sslscan output states that TLS1.0 is being advertised. Can you actually connect using TLS1.0 protocol? No, we cannot. I will pass the results of our test to the powers thast be and see what their reply is. Thank you, that was most helpful advice. https://testssl.sh is also useful. testssl.sh --ssl-native -p :993 Service detected: IMAP, thus skipping HTTP specific checks Testing protocols via native openssl SSLv2 Local problem: /usr/bin/openssl doesn't support "s_client -ssl2" SSLv3 not offered (OK) TLS 1 not offered TLS 1.1not offered TLS 1.2offered (OK) TLS 1.3not offered NPN/SPDY not offered ALPN/HTTP2 not offered <> Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: tls-1.0 and cyrus-imaps-3.0.8
On Mon, November 26, 2018 10:28, Ken Murchison wrote: > I can't reproduce your issue and I don't see where the sslscan output > states that TLS1.0 is being advertised. Can you actually connect > using TLS1.0 protocol? > No, we cannot. I will pass the results of our test to the powers thast be and see what their reply is. Thank you, that was most helpful advice. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: tls-1.0 and cyrus-imaps-3.0.8
I can't reproduce your issue and I don't see where the sslscan output states that TLS1.0 is being advertised. Can you actually connect using TLS1.0 protocol? openssl s_client -tls1 -connect 215.185.71.17:993 On 11/26/18 10:11 AM, James B. Byrne via Info-cyrus wrote: We have this setting in imapd.conf: tls_versions: tls1_1 tls1_2 tls1_3 tls_prefer_server_ciphers: 1 tls_ciphers:HIGH:!aNULL:!MD5:!RC4 We have received notice that port 993 on our IMAP service supports TLS-1.0. When we run sslscan we get this result: # sslscan 216.185.71.17:993 Version: 1.11.11 OpenSSL 1.0.2-chacha (1.0.2k-dev) Connected to 216.185.71.17 Testing SSL server 216.185.71.17 on port 993 using SNI name 216.185.71.17 TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHADHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHADHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHADHE 2048 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHADHE 2048 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA SSL Certificate: Signature Algorithm: sha512WithRSAEncryption RSA Key Strength:4096 Subject: imap.harte-lyne.ca Yes, I realise that the ciphers we use are all TLS-1.1 and above. Nonetheless cyrus-imapd seems to be telling connections that TLS-1.0 is available and this is causing us a headache with PCI. How do we turn off tls-1.0 in cyrus-imapd-3.0.8? -- Ken Murchison Cyrus Development Team FastMail US LLC <> Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
tls-1.0 and cyrus-imaps-3.0.8
We have this setting in imapd.conf: tls_versions: tls1_1 tls1_2 tls1_3 tls_prefer_server_ciphers: 1 tls_ciphers:HIGH:!aNULL:!MD5:!RC4 We have received notice that port 993 on our IMAP service supports TLS-1.0. When we run sslscan we get this result: # sslscan 216.185.71.17:993 Version: 1.11.11 OpenSSL 1.0.2-chacha (1.0.2k-dev) Connected to 216.185.71.17 Testing SSL server 216.185.71.17 on port 993 using SNI name 216.185.71.17 TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHADHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHADHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHADHE 2048 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHADHE 2048 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA SSL Certificate: Signature Algorithm: sha512WithRSAEncryption RSA Key Strength:4096 Subject: imap.harte-lyne.ca Yes, I realise that the ciphers we use are all TLS-1.1 and above. Nonetheless cyrus-imapd seems to be telling connections that TLS-1.0 is available and this is causing us a headache with PCI. How do we turn off tls-1.0 in cyrus-imapd-3.0.8? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus