• TLS1.0 and 1.1 with Cyrus (Debian Buster)

    From Alberto Gonzalez Iniesta@21:1/5 to Roman Medina-Heigl Hernandez on Fri May 8 21:30:01 2020
    Hi,

    It's probably due to new defaults in libssl.
    Try adding:
    MinProtocol = None
    CipherString = DEFAULT
    To:
    /etc/ssl/openssl.cnf

    Regards,

    Alberto

    On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:
    Hi,

    I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
    (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
    they're not recommended but I need them for older clients). I tried
    several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
    (even very permisive combinations) with no success.

    Any idea what's happening?

    I'm not sure whether it's really a Cyrus issue or some other kind of hardening feature in Buster. In that last regard, I also modified /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
    I think this setting is only for client programs like Curl. But seeing
    that config I tend to think that Buster may have other tweaks against
    older protocols like TLSv1.{0,1} and one of them may be impacting my setup.

    Cheers,

    -r


    --
    Alberto Gonzalez Iniesta | Formaci髇, consultor韆 y soporte t閏nico mailto/sip: agi@inittab.org | en GNU/Linux y software libre
    Encrypted mail preferred | http://inittab.com

    Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Roman Medina-Heigl Hernandez@21:1/5 to All on Fri May 8 21:20:01 2020
    Hi,

    I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
    (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
    they're not recommended but I need them for older clients). I tried
    several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
    (even very permisive combinations) with no success.

    Any idea what's happening?

    I'm not sure whether it's really a Cyrus issue or some other kind of
    hardening feature in Buster. In that last regard, I also modified /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
    I think this setting is only for client programs like Curl. But seeing
    that config I tend to think that Buster may have other tweaks against
    older protocols like TLSv1.{0,1} and one of them may be impacting my setup.

    Cheers,

    -r

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Roman Medina-Heigl Hernandez@21:1/5 to All on Sat May 9 01:30:01 2020
    Gracias Alberto. Now it's solved (it has been a little bit tricky).

    My final config:

    * /etc/imapd.conf
    tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
    tls_versions: tls1_0 tls1_1 tls1_2 tls1_3

    * /etc/ssl/openssl.cnf
    MinProtocol = TLSv1.0
    CipherString = DEFAULT@SECLEVEL=2

    Still don't know how to fix the "Has server cipher order?聽聽聽聽 no (NOT
    ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).


    Cheers,
    -r

    El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribi贸:
    Hi,

    It's probably due to new defaults in libssl.
    Try adding:
    MinProtocol = None
    CipherString = DEFAULT
    To:
    /etc/ssl/openssl.cnf

    Regards,

    Alberto

    On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:
    Hi,

    I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
    (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
    they're not recommended but I need them for older clients). I tried
    several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
    (even very permisive combinations) with no success.

    Any idea what's happening?

    I'm not sure whether it's really a Cyrus issue or some other kind of
    hardening feature in Buster. In that last regard, I also modified
    /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
    I think this setting is only for client programs like Curl. But seeing
    that config I tend to think that Buster may have other tweaks against
    older protocols like TLSv1.{0,1} and one of them may be impacting my setup. >>
    Cheers,

    -r


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonas Andradas@21:1/5 to All on Sat May 9 22:00:02 2020
    Hi Roman,

    Did you try with the following in imapd.conf?

    tls_prefer_server_ciphers: 1


    Regards,
    Jonas.

    On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez, <roman@rs-labs.com> wrote:

    Gracias Alberto. Now it's solved (it has been a little bit tricky).

    My final config:

    * /etc/imapd.conf
    tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
    tls_versions: tls1_0 tls1_1 tls1_2 tls1_3

    * /etc/ssl/openssl.cnf
    MinProtocol = TLSv1.0
    CipherString = DEFAULT@SECLEVEL=2

    Still don't know how to fix the "Has server cipher order? no (NOT
    ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).


    Cheers,
    -r

    El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribi贸:
    Hi,

    It's probably due to new defaults in libssl.
    Try adding:
    MinProtocol = None
    CipherString = DEFAULT
    To:
    /etc/ssl/openssl.cnf

    Regards,

    Alberto

    On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez
    wrote:
    Hi,

    I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
    (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
    they're not recommended but I need them for older clients). I tried
    several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
    (even very permisive combinations) with no success.

    Any idea what's happening?

    I'm not sure whether it's really a Cyrus issue or some other kind of
    hardening feature in Buster. In that last regard, I also modified
    /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
    I think this setting is only for client programs like Curl. But seeing
    that config I tend to think that Buster may have other tweaks against
    older protocols like TLSv1.{0,1} and one of them may be impacting my setup.

    Cheers,

    -r




    <div dir="auto"><div>Hi Roman,<div dir="auto"><br></div><div dir="auto">Did you try with the following in imapd.conf?</div><div dir="auto"><br></div><div dir="auto"><pre style="font-family:consolas,monaco,&quot;andale mono&quot;,monospace;font-size:13px;
    padding:0.9375rem;margin-top:0px;margin-bottom:10px;line-height:1.42857;color:rgb(51,51,51);background-color:rgb(245,245,245);border:1px solid rgb(237,237,237);border-radius:0px;white-space:pre-wrap"><code style="font-family:consolas,monaco,&quot;andale
    mono&quot;,monospace;font-size:inherit;padding:0px;color:inherit;background-color:transparent;border-radius:0px">tls_prefer_server_ciphers: 1</code></pre></div><br>Regards,</div><div dir="auto">Jonas.<br><br><div class="gmail_quote" dir="auto"><div dir="
    ltr" class="gmail_attr">On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez, &lt;<a href="mailto:roman@rs-labs.com">roman@rs-labs.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-
    left:1ex">Gracias Alberto. Now it&#39;s solved (it has been a little bit tricky).<br>

    My final config:<br>

    * /etc/imapd.conf<br>
    tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH<br>
    tls_versions: tls1_0 tls1_1 tls1_2 tls1_3<br>

    * /etc/ssl/openssl.cnf<br>
    MinProtocol = TLSv1.0<br>
    CipherString = DEFAULT@SECLEVEL=2<br>

    Still don&#39;t know how to fix the &quot;Has server cipher order?聽聽聽聽 no (NOT<br>
    ok)&quot; warning in testssl.sh (<a href="https://github.com/drwetter/testssl.sh" rel="noreferrer noreferrer" target="_blank">https://github.com/drwetter/testssl.sh</a>).<br>


    Cheers,<br>
    -r<br>

    El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribi贸:<br>
    &gt; Hi,<br>
    &gt;<br>
    &gt; It&#39;s probably due to new defaults in libssl.<br>
    &gt; Try adding:<br>
    &gt; MinProtocol = None<br>
    &gt; CipherString = DEFAULT<br>
    &gt; To:<br>
    &gt; /etc/ssl/openssl.cnf<br>
    &gt;<br>
    &gt; Regards,<br>
    &gt;<br>
    &gt; Alberto<br>
    &gt;<br>
    &gt; On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:<br>
    &gt;&gt; Hi,<br>
    &gt;&gt;<br>
    &gt;&gt; I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus<br>
    &gt;&gt; (imaps &amp; pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know<br>
    &gt;&gt; they&#39;re not recommended but I need them for older clients). I tried<br>
    &gt;&gt; several combinations of tls_ciphers and tls_versions in /etc/imapd.conf<br>
    &gt;&gt; (even very permisive combinations) with no success.<br>
    &gt;&gt;<br>
    &gt;&gt; Any idea what&#39;s happening?<br>
    &gt;&gt;<br>
    &gt;&gt; I&#39;m not sure whether it&#39;s really a Cyrus issue or some other kind of<br>
    &gt;&gt; hardening feature in Buster. In that last regard, I also modified<br> &gt;&gt; /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although<br>
    &gt;&gt; I think this setting is only for client programs like Curl. But seeing<br>
    &gt;&gt; that config I tend to think that Buster may have other tweaks against<br>
    &gt;&gt; older protocols like TLSv1.{0,1} and one of them may be impacting my setup.<br>
    &gt;&gt;<br>
    &gt;&gt; Cheers,<br>
    &gt;&gt;<br>
    &gt;&gt; -r<br>
    &gt;&gt;<br>

    </blockquote></div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Roman Medina-Heigl Hernandez@21:1/5 to All on Sat May 9 23:00:03 2020
    This is a multi-part message in MIME format.
    Wow, it works! Thank you!

    " Has server cipher order?聽聽聽聽 yes (OK) -- TLS 1.3 and below"

    Cheers,

    -r

    El 09/05/2020 a las 21:53, Jonas Andradas escribi贸:
    Hi Roman,

    Did you try with the following in imapd.conf?

    |tls_prefer_server_ciphers: 1|

    Regards,
    Jonas.

    On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez,
    <roman@rs-labs.com <mailto:roman@rs-labs.com>> wrote:

    Gracias Alberto. Now it's solved (it has been a little bit tricky).

    My final config:

    * /etc/imapd.conf
    tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
    tls_versions: tls1_0 tls1_1 tls1_2 tls1_3

    * /etc/ssl/openssl.cnf
    MinProtocol = TLSv1.0
    CipherString = DEFAULT@SECLEVEL=2

    Still don't know how to fix the "Has server cipher order?聽聽聽聽 no (NOT
    ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).


    Cheers,
    -r

    El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribi贸:
    > Hi,
    >
    > It's probably due to new defaults in libssl.
    > Try adding:
    > MinProtocol = None
    > CipherString = DEFAULT
    > To:
    > /etc/ssl/openssl.cnf
    >
    > Regards,
    >
    > Alberto
    >
    > On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl
    Hernandez wrote:
    >> Hi,
    >>
    >> I upgraded from Jessie to Buster (thru Stretch) and noticed
    that Cyrus
    >> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols
    (I know
    >> they're not recommended but I need them for older clients). I tried
    >> several combinations of tls_ciphers and tls_versions in
    /etc/imapd.conf
    >> (even very permisive combinations) with no success.
    >>
    >> Any idea what's happening?
    >>
    >> I'm not sure whether it's really a Cyrus issue or some other
    kind of
    >> hardening feature in Buster. In that last regard, I also modified
    >> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case),
    although
    >> I think this setting is only for client programs like Curl. But
    seeing
    >> that config I tend to think that Buster may have other tweaks
    against
    >> older protocols like TLSv1.{0,1} and one of them may be
    impacting my setup.
    >>
    >> Cheers,
    >>
    >> -r
    >>


    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body>
    <p>Wow, it works! Thank you!<br>
    </p>
    <p>" Has server cipher order?聽聽聽聽 yes (OK) -- TLS 1.3 and below"</p>
    <p>Cheers,</p>
    <p>-r<br>
    </p>
    <div class="moz-cite-prefix">El 09/05/2020 a las 21:53, Jonas
    Andradas escribi贸:<br>
    </div>
    <blockquote type="cite" cite="mid:CAGFMKp-dwkWx2Cz3iWiVzNGXnUkuNCMnvzPenQoq726p9VKoNA@mail.gmail.com">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <div dir="auto">
    <div>Hi Roman,
    <div dir="auto"><br>
    </div>
    <div dir="auto">Did you try with the following in imapd.conf?</div>
    <div dir="auto"><br>
    </div>
    <div dir="auto">
    <pre style="font-family:consolas,monaco,&quot;andale mono&quot;,monospace;font-size:13px;padding:0.9375rem;margin-top:0px;margin-bottom:10px;line-height:1.42857;color:rgb(51,51,51);background-color:rgb(245,245,245);border:1px solid rgb(237,
    237,237);border-radius:0px;white-space:pre-wrap"><code style="font-family:consolas,monaco,&quot;andale mono&quot;,monospace;font-size:inherit;padding:0px;color:inherit;background-color:transparent;border-radius:0px">tls_prefer_server_ciphers: 1</code></

    </div>
    <br>
    Regards,</div>
    <div dir="auto">Jonas.<br>
    <br>
    <div class="gmail_quote" dir="auto">
    <div dir="ltr" class="gmail_attr">On Sat, 9 May 2020, 01:22
    Roman Medina-Heigl Hernandez, &lt;<a
    href="mailto:roman@rs-labs.com" moz-do-not-send="true">roman@rs-labs.com</a>&gt;
    wrote:<br>
    </div>
    <blockquote class="gmail_quote" style="margin:0 0 0
    .8ex;border-left:1px #ccc solid;padding-left:1ex">Gracias
    Alberto. Now it's solved (it has been a little bit
    tricky).<br>
    <br>
    My final config:<br>
    <br>
    * /etc/imapd.conf<br>
    tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH<br>
    tls_versions: tls1_0 tls1_1 tls1_2 tls1_3<br>
    <br>
    * /etc/ssl/openssl.cnf<br>
    MinProtocol = TLSv1.0<br>
    CipherString = DEFAULT@SECLEVEL=2<br>
    <br>
    Still don't know how to fix the "Has server cipher
    order?聽聽聽聽 no (NOT<br>
    ok)" warning in testssl.sh (<a
    href="https://github.com/drwetter/testssl.sh"
    rel="noreferrer noreferrer" target="_blank"
    moz-do-not-send="true">https://github.com/drwetter/testssl.sh</a>).<br>
    <br>
    <br>
    Cheers,<br>
    -r<br>
    <br>
    El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta
    escribi贸:<br>
    &gt; Hi,<br>
    &gt;<br>
    &gt; It's probably due to new defaults in libssl.<br>
    &gt; Try adding:<br>
    &gt; MinProtocol = None<br>
    &gt; CipherString = DEFAULT<br>
    &gt; To:<br>
    &gt; /etc/ssl/openssl.cnf<br>
    &gt;<br>
    &gt; Regards,<br>
    &gt;<br>
    &gt; Alberto<br>
    &gt;<br>
    &gt; On Fri, May 08, 2020 at 09:07:31PM +0200, Roman
    Medina-Heigl Hernandez wrote:<br>
    &gt;&gt; Hi,<br>
    &gt;&gt;<br>
    &gt;&gt; I upgraded from Jessie to Buster (thru Stretch)
    and noticed that Cyrus<br>
    &gt;&gt; (imaps &amp; pop3s) stopped negotiating TLS 1.0
    and 1.1 protocols (I know<br>
    &gt;&gt; they're not recommended but I need them for older
    clients). I tried<br>
    &gt;&gt; several combinations of tls_ciphers and
    tls_versions in /etc/imapd.conf<br>
    &gt;&gt; (even very permisive combinations) with no
    success.<br>
    &gt;&gt;<br>
    &gt;&gt; Any idea what's happening?<br>
    &gt;&gt;<br>
    &gt;&gt; I'm not sure whether it's really a Cyrus issue or
    some other kind of<br>
    &gt;&gt; hardening feature in Buster. In that last regard,
    I also modified<br>
    &gt;&gt; /etc/ssl/openssl and set MinProtocol = TLSv1.0
    (just in case), although<br>
    &gt;&gt; I think this setting is only for client programs
    like Curl. But seeing<br>
    &gt;&gt; that config I tend to think that Buster may have
    other tweaks against<br>
    &gt;&gt; older protocols like TLSv1.{0,1} and one of them
    may be impacting my setup.<br>
    &gt;&gt;<br>
    &gt;&gt; Cheers,<br>
    &gt;&gt;<br>
    &gt;&gt; -r<br>
    &gt;&gt;<br>
    <br>
    </blockquote>
    </div>
    </div>
    </div>
    </blockquote>
    </body>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)