tls-1.0 and cyrus-imaps-3.0.8

Ken Murchison murch at fastmail.com
Mon Nov 26 10:28:20 EST 2018 

I can't reproduce your issue and I don't see where the sslscan output 
states that TLS1.0 is being advertised.  Can you actually connect using 
TLS1.0 protocol?

openssl s_client -tls1 -connect 215.185.71.17:993


On 11/26/18 10:11 AM, James B. Byrne via Info-cyrus wrote:
> We have this setting in imapd.conf:
>
> tls_versions:               tls1_1 tls1_2 tls1_3
> tls_prefer_server_ciphers:  1
> tls_ciphers:                HIGH:!aNULL:!MD5:!RC4
>
> We have received notice that port 993 on our IMAP service supports
> TLS-1.0.  When we run sslscan we get this result:
>
> # sslscan 216.185.71.17:993
> Version: 1.11.11
> OpenSSL 1.0.2-chacha (1.0.2k-dev)
>
> Connected to 216.185.71.17
>
> Testing SSL server 216.185.71.17 on port 993 using SNI name 216.185.71.17
>
>    TLS Fallback SCSV:
> Server supports TLS Fallback SCSV
>
>    TLS renegotiation:
> Session renegotiation not supported
>
>    TLS Compression:
> Compression disabled
>
>    Heartbleed:
> TLS 1.2 not vulnerable to heartbleed
> TLS 1.1 not vulnerable to heartbleed
> TLS 1.0 not vulnerable to heartbleed
>
>    Supported Server Cipher(s):
> Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256
> DHE 256
> Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256
> DHE 256
> Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256
> DHE 256
> Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
> Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 2048 bits
> Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
> Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
> Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
> Accepted  TLSv1.2  256 bits  AES256-SHA256
> Accepted  TLSv1.2  256 bits  AES256-SHA
> Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
> Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256
> DHE 256
> Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256
> DHE 256
> Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256
> DHE 256
> Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
> Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 2048 bits
> Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
> Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
> Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
> Accepted  TLSv1.2  128 bits  AES128-SHA256
> Accepted  TLSv1.2  128 bits  AES128-SHA
> Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA
> Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256
> DHE 256
> Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
> Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
> Accepted  TLSv1.1  256 bits  AES256-SHA
> Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
> Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256
> DHE 256
> Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
> Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
> Accepted  TLSv1.1  128 bits  AES128-SHA
> Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA
>
>    SSL Certificate:
> Signature Algorithm: sha512WithRSAEncryption
> RSA Key Strength:    4096
>
> Subject:  imap.harte-lyne.ca
>
>
>
> Yes, I realise that the ciphers we use are all TLS-1.1 and above.
> Nonetheless cyrus-imapd seems to be telling connections that TLS-1.0
> is available and this is causing us a headache with PCI.  How do we
> turn off tls-1.0 in cyrus-imapd-3.0.8?
>
>
-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20181126/6ed97d8f/attachment.vcf>

More information about the Info-cyrus mailing list