cyradm and TLS 1.2

John Widera jwidera at oakton.edu
Mon Oct 14 16:43:11 EDT 2019 

Turns out imclient (at least in the latest RHEL7 pkg) is hardcoded to
use TLSv1.  Since we're building binary RPMs from Source RPMs anyway we
modified imclient.c, rebuilt the RPMs, reinstalled the cyrus-imapd-utils
package:  Here's the patch we used: 

---------------------------------------------------- 

--- IMCLIENT.C.ORIG 2012-12-01 13:57:54.000000000 -0600
+++ IMCLIENT.C 2019-10-03 14:40:11.254566297 -0500
@@ -1695,7 +1695,7 @@
RETURN -1;
} 

- IMCLIENT->TLS_CTX = SSL_CTX_NEW(TLSV1_CLIENT_METHOD());
+ IMCLIENT->TLS_CTX = SSL_CTX_NEW(TLSV1_2_CLIENT_METHOD());
IF (IMCLIENT->TLS_CTX == NULL) {
RETURN -1;
}; 

------------------------------------------- 

Maybe this helps someone else. 

Regards,

> Hi All, 
> 
> We're hoping to find some help on the list... 
> 
> We are running Cyrus-IMAP on RHEL7, using an RPM pkg (CYRUS-IMAPD-2.4.17-13.EL7) built from the Red Hat SRC RPM.  We also have SASL, Utils, devel etc pkgs all from RH. 
> 
> Now we're looking to finally move Cyrus completely off insecure TLS versions.  But now there is a lingering issue... 
> 
> We removed tls1_0 from impad.conf, and the CYRADM shell stopped working.  We can no longer connect at all: 
> 
> CYRADM -U CYRUS <SERVER>
> [ SSL_CONNECT ERROR -1 ]
> [ SSL SESSION REMOVED ]
> [ TLS NEGOTIATION DID NOT SUCCEED ]
> CYRADM: CANNOT AUTHENTICATE TO SERVER WITH AS CYRUS 
> 
> CYRADM -U CYRUS --NOTLS <SERVER>
> [ SSL_CONNECT ERROR -1 ]
> [ SSL SESSION REMOVED ]
> [ TLS NEGOTIATION DID NOT SUCCEED ]
> CYRADM: CANNOT AUTHENTICATE TO SERVER WITH AS CYRUS 
> 
> The presumption is (as cyradm is just a wrapper script) any PERL scripts calling Cyrus::IMAP::Admin over a STARTTLS connection could likewise be broken (?) if we block TLS 1.0.  
> 
> cyradm is using TLSv1 per maillog: 
> 
> IMAPS[14096]: STARTTLS: TLSV1 WITH CIPHER <SNIP> 
> 
> Our MAN page for cyradm shows a "--notls" option, which does not work/changes nothing.  Oddly, the cyradm HELP FLAG does NOT show this option, yet cyradm doesn't bark when it's passed: 
> 
> USAGE: CYRADM [ARGS] SERVER
> --USER <USER> CONNECT AS <USER> (AUTHENTICATION NAME)
> --AUTHZ <USER> AUTHORIZE AS <USER>
> --[NO]RC (DO NOT) LOAD THE CONFIGURATION FILES
> --SYSTEMRC <FILE> USE SYSTEM-WIDE CONFIGURATION <FILE>
> --USERRC <FILE> USE USER CONFIGURATION <FILE>
> --PORT <PORT> CONNECT TO SERVER ON <PORT>
> --AUTH <MECHANISM> AUTHENTICATE WITH <MECHANISM> 
> 
> A web search reveals the MAN page for cyradm in Cyrus v.3, and it shows NOTLS as an option to AUTHENTICATE, after a server connection is made, so its unclear to me what's going on... 
> 
> Does anyone have cyradm working with TLS1.2? 
> 
> Regards & THANKS in advance for any assistance or suggestions offered. 
> 
> -- 
> John 
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20191014/d845e142/attachment.html>

More information about the Info-cyrus mailing list