is TLS/SSL selection/connection ONLY via port 993?
Henrique de Moraes Holschuh
hmh at debian.org
Tue Nov 16 03:36:25 EST 2004
On Mon, 15 Nov 2004, OpenMacNews wrote:
> but, why is "imapd -s is for IMAP connections that are externally wrapped
> by SSL" --> considered "BAD"?
Because TLS allows one to select which certificate to present, and SSL
doesn't. SSLv3 is pretty much as good as TLSv1 otherwise (but I gather that
TLSv1 has a better method to setup the shared symetrical key).
SSLv2 should not be used at all if you can help it, it has even more
weaknesses, to the point that TLS servers will effectively deny SSLv2
connections to anything they detect to support TLS :).
SSLv1 is an absolute no.
> i presume, then, that SSLvX *starts* encrypted ... hence the port 993.
> true?
Yes.
> >BTW add this to imapd.conf:
> >tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did
some extra reading.
> tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>
> i _thought_ the !ADH is there by default ... and i see no reason NOT to
> explicitly include (ALL) the high/med grade ciphers.
It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the
later is better). Try openssl ciphers -v, and you'll see.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list