Hi,
I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
(imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
they're not recommended but I need them for older clients). I tried
several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
(even very permisive combinations) with no success.
Any idea what's happening?
I'm not sure whether it's really a Cyrus issue or some other kind of hardening feature in Buster. In that last regard, I also modified /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
I think this setting is only for client programs like Curl. But seeing
that config I tend to think that Buster may have other tweaks against
older protocols like TLSv1.{0,1} and one of them may be impacting my setup.
Cheers,
-r
Hi,
It's probably due to new defaults in libssl.
Try adding:
MinProtocol = None
CipherString = DEFAULT
To:
/etc/ssl/openssl.cnf
Regards,
Alberto
On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:
Hi,
I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
(imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
they're not recommended but I need them for older clients). I tried
several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
(even very permisive combinations) with no success.
Any idea what's happening?
I'm not sure whether it's really a Cyrus issue or some other kind of
hardening feature in Buster. In that last regard, I also modified
/etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
I think this setting is only for client programs like Curl. But seeing
that config I tend to think that Buster may have other tweaks against
older protocols like TLSv1.{0,1} and one of them may be impacting my setup. >>
Cheers,
-r
Gracias Alberto. Now it's solved (it has been a little bit tricky).
My final config:
* /etc/imapd.conf
tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
* /etc/ssl/openssl.cnf
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2
Still don't know how to fix the "Has server cipher order? no (NOT
ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).
Cheers,
-r
El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribi贸:
Hi,
It's probably due to new defaults in libssl.
Try adding:
MinProtocol = None
CipherString = DEFAULT
To:
/etc/ssl/openssl.cnf
Regards,
Alberto
On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandezwrote:
Hi,
I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
(imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
they're not recommended but I need them for older clients). I tried
several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
(even very permisive combinations) with no success.
Any idea what's happening?
I'm not sure whether it's really a Cyrus issue or some other kind of
hardening feature in Buster. In that last regard, I also modified
/etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
I think this setting is only for client programs like Curl. But seeing
that config I tend to think that Buster may have other tweaks against
older protocols like TLSv1.{0,1} and one of them may be impacting my setup.
Cheers,
-r
Hi Roman,
Did you try with the following in imapd.conf?
|tls_prefer_server_ciphers: 1|
Regards,
Jonas.
On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez,
<roman@rs-labs.com <mailto:roman@rs-labs.com>> wrote:
Gracias Alberto. Now it's solved (it has been a little bit tricky).
My final config:
* /etc/imapd.conf
tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
* /etc/ssl/openssl.cnf
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2
Still don't know how to fix the "Has server cipher order?聽聽聽聽 no (NOT
ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).
Cheers,
-r
El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribi贸:
> Hi,
>
> It's probably due to new defaults in libssl.
> Try adding:
> MinProtocol = None
> CipherString = DEFAULT
> To:
> /etc/ssl/openssl.cnf
>
> Regards,
>
> Alberto
>
> On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl
Hernandez wrote:
>> Hi,
>>
>> I upgraded from Jessie to Buster (thru Stretch) and noticed
that Cyrus
>> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols
(I know
>> they're not recommended but I need them for older clients). I tried
>> several combinations of tls_ciphers and tls_versions in
/etc/imapd.conf
>> (even very permisive combinations) with no success.
>>
>> Any idea what's happening?
>>
>> I'm not sure whether it's really a Cyrus issue or some other
kind of
>> hardening feature in Buster. In that last regard, I also modified
>> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case),
although
>> I think this setting is only for client programs like Curl. But
seeing
>> that config I tend to think that Buster may have other tweaks
against
>> older protocols like TLSv1.{0,1} and one of them may be
impacting my setup.
>>
>> Cheers,
>>
>> -r
>>
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 67:36:38 |
Calls: | 6,488 |
Calls today: | 1 |
Files: | 12,096 |
Messages: | 5,275,268 |