Discussion:
Howto disable SSLv3 and only use TLS
Jimmy Dorff
2014-10-15 18:44:44 UTC
Permalink
Is this possible to disable SSLv3 and only accept imaps using TLS?

Thanks,
Jimmy
Charles Swiger
2014-10-15 18:52:36 UTC
Permalink
Hi--
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
Yes. Update to OpenSSL 0.9.8zc (or OpenSSL 1.0.1j) that has been built with no-ssl3 option.

Regards,
David Severance
2014-10-15 19:31:44 UTC
Permalink
It is possible to do this. Edit the imap source code and recompile.
Especially if you can't upgrade your openssl. Edit the file
src/osdep/unix/ssl_unix.c and change this define:

#define SSLCIPHERLIST "ALL:!SSLv2:!SSLv3:!ADH:!EXP:!LOW:!NULL:!DES"

You'll notice I've also disabled NULL and DES too as they are weak
crypto. If you want to support TLSv1.1 and TLSv1.2 then you'll need to
make some additional edits because as it stands now it only supports
TLSv1.0. I posted the patch awhile back. Here it is again.
--- ssl_unix.c.orig 2014-08-15 15:51:08.000000000 -0700
+++ ssl_unix.c.new 2014-08-15 15:51:45.000000000 -0700
@@ -53,7 +53,7 @@
* ports (e.g., 993 for IMAP, 995 for POP3) and using TLS exclusively.
*/
-#define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW"
+#define SSLCIPHERLIST
/* SSL I/O stream */
@@ -234,7 +234,7 @@
if (ssl_last_error) fs_give ((void **) &ssl_last_error);
ssl_last_host = host;
if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
SSLv23_client_method ())))
return "SSL context failed";
SSL_CTX_set_options (stream->context,0);
@@ -717,7 +717,7 @@
}
/* create context */
if (!(stream->context = SSL_CTX_new (start_tls ?
SSLv23_server_method ())))
syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
tcp_clienthost ())
You'll need to include in the !SSLv3 flag to the define as I created
this patch before all of this.

David
Hi--
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
Yes. Update to OpenSSL 0.9.8zc (or OpenSSL 1.0.1j) that has been built with no-ssl3 option.
Regards,
Dan Lukes
2014-10-15 19:15:29 UTC
Permalink
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
As far as I know, no. But I created custom source patch for
osdep/unix/ssl_unix.c

Such patch allow me to write something like

set ssl-protocols -ALL +TLSv1
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!SSLv2

into c-client.cf file.

Patch is not ready for other OSes like NT, but it should not be so hard
to port it.

You didn't specified your environment.

Dan
David Severance
2014-10-15 19:33:19 UTC
Permalink
Dan,

I'd love to see your patch, can you post it? Did your patch also allow
DHE ciphers to be used?

thanks,
David
Post by Dan Lukes
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
As far as I know, no. But I created custom source patch for
osdep/unix/ssl_unix.c
Such patch allow me to write something like
set ssl-protocols -ALL +TLSv1
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!SSLv2
into c-client.cf file.
Patch is not ready for other OSes like NT, but it should not be so
hard to port it.
You didn't specified your environment.
Dan
_______________________________________________
Imap-uw mailing list
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
Jimmy Dorff
2014-10-15 19:32:05 UTC
Permalink
Post by Dan Lukes
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
As far as I know, no. But I created custom source patch for
osdep/unix/ssl_unix.c
Such patch allow me to write something like
set ssl-protocols -ALL +TLSv1
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!SSLv2
into c-client.cf file.
Patch is not ready for other OSes like NT, but it should not be so hard to
port it.
You didn't specified your environment.
I'm on CentOS Linux and specifically using the panda-imap now on github.
Is the patch available for testing?

Cheers,
Jimmy
Dan Lukes
2014-10-15 20:03:37 UTC
Permalink
Post by Jimmy Dorff
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
I created custom source patch for osdep/unix/ssl_unix.c
Such patch allow me to write something like
set ssl-protocols -ALL +TLSv1
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!SSLv2
into c-client.cf file.
I'm on CentOS Linux and specifically using the panda-imap now on github.
My patch has been created for imap-uw. I'm not familiar with panda-imap
sources. It may or may not be portable to them.
Post by Jimmy Dorff
Is the patch available for testing?
See http://www.freebsd.cz/~dan/patch-DAN-SETSSLCIPHER
Post by Jimmy Dorff
Did your patch also allow DHE ciphers to be used?
My ssl-cipher-list accept the same values as -cipher option of
underlying OpenSSL library

Dan
scott hollatz
2014-10-15 20:26:25 UTC
Permalink
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept imaps using TLS?
I created custom source patch for osdep/unix/ssl_unix.c
Post by Jimmy Dorff
Post by Dan Lukes
Such patch allow me to write something like
set ssl-protocols -ALL +TLSv1
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!SSLv2
into c-client.cf file.
I'm on CentOS Linux and specifically using the panda-imap now on github.
My patch has been created for imap-uw. I'm not familiar with panda-imap
sources. It may or may not be portable to them.
I've never seen the panda-imap source until five minutes ago. Cloning from
github then
find . -type f | xargs grep -l TLSv1 spits out ./src/osdep/unix/ssl_unix.c
then grep -i cipher on
it gives #define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW" .
Should be easy to tweak+compile.
Is the patch available for testing?
See http://www.freebsd.cz/~dan/patch-DAN-SETSSLCIPHER
Did your patch also allow DHE ciphers to be used?
My ssl-cipher-list accept the same values as -cipher option of underlying
OpenSSL library
Dan
_______________________________________________
Imap-uw mailing list
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
--
scott hollatz
information technology systems and services
university of minnesota duluth mn usa
net: ***@d.UMn.eDu tel: +1 218 726 8851 fax: +1 218 726 7674
Asn aD ta zlAp em uT zt33rg
David Severance
2014-10-15 20:40:45 UTC
Permalink
Panda Imap was the continuation of UW-Imap after Mark and everyone else
was shown the door at UW. It's pretty much UW-Imap with patches and
enhancements. Every single user of UW-Imap should seriously consider
upgrading to it. Previously you had to make a donation to Mark to get
access to it (we did). Since his passing it's up there on github for all.

David
Post by Jimmy Dorff
Is this possible to disable SSLv3 and only accept
imaps using TLS?
I created custom source patch for osdep/unix/ssl_unix.c
Such patch allow me to write something like
set ssl-protocols -ALL +TLSv1
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!SSLv2
into c-client.cf <http://c-client.cf> file.
I'm on CentOS Linux and specifically using the panda-imap now on github.
My patch has been created for imap-uw. I'm not familiar with
panda-imap sources. It may or may not be portable to them.
I've never seen the panda-imap source until five minutes ago. Cloning
from github then
find . -type f | xargs grep -l TLSv1 spits out
./src/osdep/unix/ssl_unix.c then grep -i cipher on
it gives #define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW" .
Should be easy to tweak+compile.
Is the patch available for testing?
See http://www.freebsd.cz/~dan/patch-DAN-SETSSLCIPHER
<http://www.freebsd.cz/%7Edan/patch-DAN-SETSSLCIPHER>
Did your patch also allow DHE ciphers to be used?
My ssl-cipher-list accept the same values as -cipher option of
underlying OpenSSL library
Dan
_______________________________________________
Imap-uw mailing list
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
--
scott hollatz
information technology systems and services
university of minnesota duluth mn usa
8851 fax: +1 218 726 7674
Asn aD ta zlAp em uT zt33rg
_______________________________________________
Imap-uw mailing list
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
--
David Severance
Enterprise Unix Services
Office of Information Technology
(949) 824-7552
***@uci.edu
Dan Lukes
2014-10-15 21:15:23 UTC
Permalink
Panda Imap was the continuation of UW-Imap after Mark and everyone else was
shown the door at UW. It's pretty much UW-Imap with patches and enhancements.
Every single user of UW-Imap should seriously consider upgrading to it.
I considered it, but I found no reason to move from imap-uw 2007. It
lack no features I need ...

Well, I backported ESEARCH UID patch from panda to it.

And I need configurable SSL cipherlist, but such feature is not
available even in panda-imap.

In advance, imap-uw is supported by FreeBSD's port system, but no
volunteer willing to create support for panda-imap has been found. I
assume it has been caused by former non-free licensing policy.

But I'm not going to start uw versis panda flamewar in any way. I just
see no reason to move to Panda.

Dan

Loading...