is TLS/SSL selection/connection ONLY via port 993?

[OpenMacNews]

hi henrique!

> On Mon, 15 Nov 2004, OpenMacNews wrote:
>>    SERVICES {
>> #    	imap          cmd="imapd" listen="imap" prefork=0
>>    	imaps		   cmd="imapd -s" listen="imaps" prefork=0
>
> That's not what you want.
<snip>

aha. nice & clear again.  thx!

but, why is "imapd -s is for IMAP connections that are externally wrapped by 
SSL" --> considered "BAD"?

> TLS starts with
> plaintext, and goes to encryption early (before any sensitive information is
> exchanged, but *after* important stuff that could be useful to select
> encryption/authentication keys like the server name is exchanged).

the 'starts with plaintext' explains why the UNencrypted 'imap' port (vs 
'imaps') is used for the TLS connection.

i presume, then, that SSLvX *starts* encrypted ... hence the port 993.  true?

> BTW add this to imapd.conf:
> tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> That will disable all weak ciphers, and leave you with medium grade and high
> grade ciphers.  Try openssl cipher -v '<what you have in tls_cipher_list>'
> to see what you get.  If you can get away with it, remove SSLv2 (add !SSLv2
> after ALL:) too.  man ciphers (openssl ciphers) to see how this works.

i actually had:

    tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

i _thought_ the !ADH is there by default ... and i see no reason NOT to 
explicitly include (ALL) the high/med grade ciphers.

ok. fair enuf!

>
> And try to have both sides of the connection authenticated (require client
> certificates with a certification path known to the server).

i already have, setting up my own local CA ... i've just removed the step from 
the equation for now while i step-by-step the testing/configuration ...

cheers,

richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html