Thank you, apparently cyrus still allows an SSLv2 connection despite
Ubuntu's openssl configured options. I can file a bug upstream to
Debian, perhaps is best?
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid
With SSLv2 in imapd.conf tls options it allows sslv2 connection over imaps:
$ openssl s_client -connect 173.230.156.66:993 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 CN = li166-66.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li166-66.members.linode.com
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBwzCCASwCCQDq0eIRQD71bTANBgkqhkiG9w0BAQUFADAmMSQwIgYDVQQDExts
aTE2Ni02Ni5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTAwNzI0MjAwOTE0WhcNMjAw
NzIxMjAwOTE0WjAmMSQwIgYDVQQDExtsaTE2Ni02Ni5tZW1iZXJzLmxpbm9kZS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOOxaSrBkgHACSBgKtZOECOH
s5VwnUfdghEJrgtmyqeUw78pNZX/wq3BGnmkUsB+cYd+YNMbdkxAHjMTi21u+/T3
Id7tjSDNzLIop4joUUdUkmIxZqp+8RmOq0+6FHTAF761qBr3Mgc64G96ToiGZopv
9Uo5adbdcfgCbA71u+zZAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA1vgLRRsL7Mmp
oVadISEvjWrV/eePuW2ylWi9NQJua863ouwObN6GKRs+nIaPESc6hSIcGs2zOXIm
1e/eGyqYzQVUZDvKT11TKQp3SioYLwatjwpftM8sRykqSNZgiUSwxa3Q9vS/ZzbQ
wILdu9Dk8yCkDVPbbZK087oSfHIFbvw=
-----END CERTIFICATE-----
subject=/CN=li166-66.members.linode.com
issuer=/CN=li166-66.members.linode.com
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 RC2-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 579 bytes and written 239 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: 91A4A83A02BBB6A2BC60A56404E66619
Session-ID-ctx:
Master-Key: 33156C13CA7E84DCD37A174D148333675CCDC90038E0C97A
Key-Arg : 792CAE9519F74E9F
PSK identity: None
PSK identity hint: None
Start Time: 1323986488
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
* OK li166-66 Cyrus IMAP4 v2.2.13-Debian-2.2.13-19squeeze2build0.10.04.1 server
ready
With SSLv2 taken out of imapd.conf tls options sslv2 is not allowed:
$ openssl s_client -connect 173.230.156.66:993 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 CN = li166-66.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li166-66.members.linode.com
verify return:1
140735126120892:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
list:s2_clnt.c:450:
This all came about from a third party scanning vendor (Qualys) which
identified my port 993 allowing SSLv2. Regards,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/904875
Title:
cyrus default config includes insecure SSLv2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-imapd-2.2/+bug/904875/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
