I'm attempting to disable SSLv2 support (amongst other things) in Courier on Linux. In /etc/courier/imapd-ssl I have:
TLS_CIPHER_LIST="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:!ADH:@STRENGTH:!3DES"
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
This works nicely on imaps (993/tcp):
# openssl s_client -connect localhost:995 -ssl2
CONNECTED(00000003)
write:errno=104
But for STARTTLS on 143/tcp it still seems to allow SSLv2:
openssl s_client -connect localhost:143 -starttls imap -ssl2
CONNECTED(00000003)
By contrast:
openssl s_client -connect localhost:143 -starttls imap -ssl3
CONNECTED(00000003)
140692334688072:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 549 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1492550234
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
So it looks to me is as SSLv2 is still enabled when using STARTTLS on 143
Best Answer
Since SSLv2 and SSLv3 are obsolete for years and TLS is the successor, nowadays you probably want to disable TLS 1.0 and TLS 1.1 in courier. Don't set the
TLS_CIPHER_LIST! The default will be fine, it will take the settings from your openssl settings.In
/etc/courier/imapd-sslsetThis will allow TLS 1.2 or newer (TLS 1.3 is out)
Whether TLSv1.2 works depends on whether your openssl library is recent enough to support TLS1.2
To check, if it worked see the result of