Disable SSLv2 ?
Ken Murchison
murch at andrew.cmu.edu
Tue Oct 28 06:51:25 EDT 2008
Wesley Alan Wright wrote:
> Using cyrus-imapd-2.2.12-9.RHEL4.i386 and cyrus-sasl-2.1.19-14.i386,
> trying to disable sslV2 to satisfy silly PCI (Purchase Card Industry)
> requirements yet keep ports 993 and 995 open. Tried 37 different
> variations of tls_cipher_list includin draconian tls_cipher_list: -ALL:
> +HIGH:-SSLv2m yet
>
> openssl s_client -ssl2 -connect localhost:993
>
>
> Still yields
>
> SSL handshake has read 987 bytes and written 239 bytes
> ---
> New, SSLv2, Cipher is DES-CBC3-MD5
> Server public key is 1024 bit
> SSL-Session:
> Protocol : SSLv2
> Cipher : DES-CBC3-MD5
>
>
> I beginning to think it can't be done.\?
I've used this in the past and it works just fine:
tls_cipher_list: DEFAULT:!SSLv2:!LOW:!EXPORT
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
More information about the Info-cyrus
mailing list