Betreff: Re: [Imap-uw] Howto disable SSLv3 and only use TLS Von: David Severance Datum: 15.10.2014 21:31 An: Charles Swiger , Jimmy Dorff Kopie (CC): imap-uw@u.washington.edu Return-path: Envelope-to: fli4l-eisfair@telejeck.de Delivery-date: Wed, 15 Oct 2014 21:37:30 +0200 Received: from mail.nettworks.org ([109.234.107.135]) by mail.telejeck.de with esmtp (Exim 4.82) (envelope-from ) id 1XeUNl-0004kE-5E for fli4l-eisfair@telejeck.de; Wed, 15 Oct 2014 21:37:30 +0200 Received: from mxout14.cac.washington.edu (mxout14.cac.washington.edu [140.142.32.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nettworks.org (Postfix) with ESMTPS id 5ADE0429CA for ; Wed, 15 Oct 2014 21:38:58 +0200 (CEST) Received: from mailman13.u.washington.edu (mailman13.u.washington.edu [140.142.234.152]) by mxout14.cac.washington.edu (8.14.4+UW14.03/8.14.4+UW14.04) with ESMTP id s9FJW4SK001858 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Oct 2014 12:32:04 -0700 Received: from mailman13.u.washington.edu (localhost [127.0.0.1]) by mailman13.u.washington.edu (8.14.4+UW14.03/8.14.4+UW14.04) with ESMTP id s9FJW3tD003051; Wed, 15 Oct 2014 12:32:04 -0700 Received: from mxe32.s.uw.edu (mxe32.s.uw.edu [140.142.32.137]) by mailman13.u.washington.edu (8.14.4+UW14.03/8.14.4+UW14.04) with ESMTP id s9FJW2Td003043 for ; Wed, 15 Oct 2014 12:32:02 -0700 Received: from ismtp3.es.uci.edu (ismtp3.es.uci.edu [128.195.153.33]) by mxe32.s.uw.edu (8.14.4+UW14.03/8.14.4+UW14.04) with ESMTP id s9FJUroK011879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 15 Oct 2014 12:30:53 -0700 Received: from [128.200.62.33] (sevbase.nac.uci.edu [128.200.62.33]) (authenticated bits=0) by ismtp3.es.uci.edu (8.14.4/8.14.4) with ESMTP id s9FJUkr1042058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 15 Oct 2014 12:30:47 -0700 X-UCInetID: sev Nachricht-ID: <543ECBA0.4000103@uci.edu> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 Referenzen: <543EC09C.40409@phy.duke.edu> In-Reply-To: X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.10.15.192122 X-PMX-Server: mxout14.cac.washington.edu X-Uwash-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, FROM_EDU_TLD 0, SPF_NONE 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __C230066_P5 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0, __HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0, __MOZILLA_USER_AGENT 0, __PHISH_SPEAR_STRUCTURE_1 0, __SANE_MSGID 0, __STOCK_PHRASE_7 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT 0' X-BeenThere: imap-uw@u.washington.edu X-Mailman-Version: 2.1.17 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: imap-uw-bounces@mailman13.u.washington.edu Absender: "Imap-uw" X-Scan-Signature: 61ccbe1bac75793795791d81a185186d X-Spam-Score: -2.1 (--) X-Spam-Report: Spam detection software, running on the system "farragut.privatnet.lan", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: It is possible to do this. Edit the imap source code and recompile. Especially if you can't upgrade your openssl. Edit the file src/osdep/unix/ssl_unix.c and change this define: #define SSLCIPHERLIST "ALL:!SSLv2:!SSLv3:!ADH:!EXP:!LOW:!NULL:!DES" [...] Content analysis details: (-2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.2 AWL AWL: From: address is in the auto white-list It is possible to do this. Edit the imap source code and recompile. Especially if you can't upgrade your openssl. Edit the file src/osdep/unix/ssl_unix.c and change this define: #define SSLCIPHERLIST "ALL:!SSLv2:!SSLv3:!ADH:!EXP:!LOW:!NULL:!DES" You'll notice I've also disabled NULL and DES too as they are weak crypto. If you want to support TLSv1.1 and TLSv1.2 then you'll need to make some additional edits because as it stands now it only supports TLSv1.0. I posted the patch awhile back. Here it is again. > --- ssl_unix.c.orig 2014-08-15 15:51:08.000000000 -0700 > +++ ssl_unix.c.new 2014-08-15 15:51:45.000000000 -0700 > @@ -53,7 +53,7 @@ > * ports (e.g., 993 for IMAP, 995 for POP3) and using TLS exclusively. > */ > > -#define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW" > +#define SSLCIPHERLIST "ALL:!ADH:!EXPORT:!SSLv2:!NULL:!DES:!RC4:+HIGH:+MEDIUM:@STRENGTH" > > /* SSL I/O stream */ > > @@ -234,7 +234,7 @@ > if (ssl_last_error) fs_give ((void **) &ssl_last_error); > ssl_last_host = host; > if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ? > - TLSv1_client_method () : > + SSLv23_client_method () : > SSLv23_client_method ()))) > return "SSL context failed"; > SSL_CTX_set_options (stream->context,0); > @@ -717,7 +717,7 @@ > } > /* create context */ > if (!(stream->context = SSL_CTX_new (start_tls ? > - TLSv1_server_method () : > + SSLv23_server_method () : > SSLv23_server_method ()))) > syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s", > tcp_clienthost ()) You'll need to include in the !SSLv3 flag to the define as I created this patch before all of this. David On 10/15/2014 11:52 AM, Charles Swiger wrote: > Hi-- > > On Oct 15, 2014, at 11:44 AM, Jimmy Dorff wrote: >> Is this possible to disable SSLv3 and only accept imaps using TLS? > Yes. Update to OpenSSL 0.9.8zc (or OpenSSL 1.0.1j) that has been built with no-ssl3 option. > > Regards, -- David Severance Enterprise Unix Services Office of Information Technology (949) 824-7552 sev@uci.edu _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu http://mailman13.u.washington.edu/mailman/listinfo/imap-uw