search for: sslv2

This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at all and dovecot's defaults simply make OpenSSL error out with "Unknown protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL seems to know something about it. While at it, it's also a good idea to disable SSLv3 by default as well. [1] https://b...

From nmap: 995/tcp open ssl/pop3 Dovecot pop3d |_ sslv2: server still supports SSLv2 |_ pop3-capabilities: USER CAPA UIDL PIPELINING RESP-CODES TOP SASL(PLAIN LOGIN) pop3 allows SSLv2, imap doesn't. In my dovecot.conf I have: ssl_cipher_list = ALL:!LOW:!SSLv2 at the global level. Do I need to put it inside the protocol pop3{} section? Patric...

I've set up a list of ciphers that excludes SSLv2 ciphers (and other weak ones) in the hope of preventing SSLv2 connections: ssl_cipher_list = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : @STRENGTH However, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to p...

...> > easy to parse and avoiding duplicative or deprecated configs? > > Yes to both. If you need to support older clients: > > ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_parameters_regenerate = 0 > ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3 results in TLS1.2 being the only one active, but if i...

...phers in >> ssl_cipher_list do the same thing ? >> So is: >> ssl_cipher_list = !SSLv3 >> ?equivalent to: >> ssl_protocols = !SSLv3 >> ssl_cipher_list = !SSLv3 > > > No. SSLv3 is not a cipher but a protocol. > > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. > > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v? Hi Alexander and list, I think there may be a discrepancy in the documentation. On the wiki on the ?Dovecot SSL Configuration? page [1] under the section ?SSL securi...

...precated configs? >>> >>> Yes to both. If you need to support older clients: >>> >>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH >>> ssl_dh_parameters_length = 2048 >>> ssl_parameters_regenerate = 0 >>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 >> >> But why does ssl_protocols behave differently depending on if >> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? >> >> It seems that if ssl_cipher_list is defined, >> ssl_protocols = !SSLv2 !SSLv3 &gt...

Hi, I am Yoshi, Japanese. I used FreeBSD 10.1 Dovecot 2.2.15 I want pop3s, so I made /usr/local/etc/dovecot/local.conf ssl = yes ssl_cert = </usr/local/etc/dovecot/server.pem ssl_key = </usr/local/etc/dovecot/server.key ssl_ca = </usr/local/etc/dovecot/ca.pem ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4 It's work fine. But, change ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4 ( SSLV3 -> SSLv3 ) I did trouble. /var/log/maillog Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth attempts in 0 sec...

Hi, I am trying to confirm that openssh transmissions do not use any kind of SSLv2 ciphers. I have glanced through the code briefly, and I did not find any indication that any openssl ciphers are even being used (it appears that openssl is used primarily for RSA key generation and select other things). So openssh uses its own built-in ciphers instead, right? Thanks for the ass...

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

The code in ssl_protocols_to_min_protocol() to convert ssl_protocols to min/max values can't cope with strings containing "!SSLv2". dovecot: imap-login: Fatal: Unknown ssl_protocols setting: Unrecognized protocol 'SSLv2' This string might be configured explicitly by the user, or if the user hasn't configured this themselves it could also come from the default because master_service_ssl_default_settings sets...

...EDIUM:!LOW however, doing this seems to make v3 still work unless I explicitly do !SSLv3 in ssl_cipher_list in addition to disabling it in $ssl_protocols. This is different from Apache, which has similar parameters, but where disabling the protocol takes precedence. If I just do: ssl_protocols = !SSLv2 !SSLv3 I still get some ciphers that show up as "weak", e.g., | SSLv3: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak [.....

...f the domUs are connected via vif network interface with a bridge in dom0. There is a problem invoking following command in every domU: openssl s_client -connect pop.googlemail.com:995 -showcerts After some minutes the command stops with an ssl handshake error. In a tcpdump I can see, that after SSLv2 Client Hello only TCP retransmissions are sent by the domU. There is no answer from the server. The TCP handshake with the server is ok, the TCP finish too. If I call the same command in dom0, everything works, after SSLv2 Client Hello the server answers with SSLv2 Server Hello and so on. Finally...

...2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2 The certificate is from Comodo using sha256. Any idea? Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4074 bytes Desc: S/MIM...

Hello, about the CVE-2015-0204, in apache the following config seems to disable this vulnerability: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 Is something similar possible with dovecot ? If yes, what are the implications with old mail clients ? -- Best regards, Adrian Minta

...E: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:51: ssl_protocols has been replaced by ssl_min_protocol doveconf: Error: Could not find a minimum ssl_min_protocol setting from ssl_protocols = !SSLv2 !SSLv3: Unrecognized protocol 'SSLv2' doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:51: ssl_protocols has been replaced by ssl_min_protocol doveconf: Error: Coul...

Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail). ssl_protocols = !SSLv2 !SSLv3 results in the following error: dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1> Our smtp server is...

I mentioned extensions because I had a few and saw them die. the 40-bit ssl is the web interface for power5 (the so-called ASMI https interface). These ports have no access to "outside", on a separate lan segment. my desktop, not acting as router, can connect to non-Natted and NATted segments. re: use of a stunnel - how does this turn 40-bit https into >40-bit https. Sounds like a

...in Dovecot to disable > "Client-initiated secure renegotiation". > > It is advised to disable it as it can cause DDoS (CVE-2011-1473). > > Is it possible to have this possibility through an SSL option or other ? > > Thank you. > > Florent ssl_protocols = !SSLv3 !SSLv2 Is that enough?

Am 26.08.2018 um 20:48 schrieb TE Dukes: >> You see a basic error message "Could not connect to localhost:143". So >> test that without using additional software. Foremost consult the >> maillog, in this case the log content produced by dovecot. And test >> connectivity on the lowest level. >> >> echo QUIT | openssl s_client -connect localhost:143

...02.12.2014 um 17:33 schrieb Darren Pilgrim: > On 12/2/2014 1:32 AM, Reindl Harald wrote: >>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH >>>> ssl_dh_parameters_length = 2048 >>>> ssl_parameters_regenerate = 0 >>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 >>> >>> But why does ssl_protocols behave differently depending on if >>> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? >>> >>> It seems that if ssl_cipher_list is defined, >>> ssl_proto...