drown/SSL issue

Tony Galecki asgalecki at ucsd.edu
Tue Mar 1 21:57:05 EST 2016 

I’m trying to figure out how to make my Cyrus install to not be susceptible to the drown issue.
I have tried limiting the ciphers to TLSv1.2 but haven’t had much success.

What should the tld_ciper_list be? Or is this an issue with SSL? (To fix this do I need to patch the SSL libraries and rebuild SSL and Cyrus?
From the imapd.conf file
tls_cipher_list: TLSv1.2:!NULL:!aNULL:!eNULL:!EXPORT:!SSLv2

Thank you!

Other info:
nmap tells me I should be just fine:
nmap --script ssl-enum-ciphers -p T:993 127.0.0.1
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange parameters of lower strength than certificate key
|_  least strength: A

But the python scanner from https://drownattack.com/ <https://drownattack.com/> says I still have an issue.

My version info:
name       : Cyrus IMAPD
version    : v2.4.17-Fedora-RPM-2.4.17-8.el7_1 d1df8aff 2012-12-01
vendor     : Project Cyrus
support-url: http://www.cyrusimap.org <http://www.cyrusimap.org/>
os         : Linux
os-version : 3.10.0-327.10.1.el7.x86_64
environment: Built w/Cyrus SASL 2.1.26
             Running w/Cyrus SASL 2.1.26
             Built w/Berkeley DB 5.3.21: (May 11, 2012)
             Running w/Berkeley DB 5.3.21: (May 11, 2012)
             Built w/OpenSSL 1.0.1e-fips 11 Feb 2013
             Running w/OpenSSL 1.0.1e-fips 11 Feb 2013
             Built w/zlib 1.2.7
             Running w/zlib 1.2.7
             CMU Sieve 2.4
             TCP Wrappers
             NET-SNMP
             mmap = shared
             lock = fcntl
             nonblock = fcntl
             idle = idled
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20160301/76e5fe23/attachment.html>

More information about the Info-cyrus mailing list