openssl question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl question

selcukyazar
Hi

we are using dovecot on secure port

when i try to command

openssl s_client -connect mail.mydomain:pop3s 



it works perfect. 

it says ***OK Dovecot ready***

Also   i check from 

https://www.sslshopper.com/ssl-checker.html web page i can see all correct ceritificate paths

but i try to this command 

openssl s_client -connect mail.mydomain:pop3s -starttls imap

it says CONNECTED and hang. second command is correct?

also my thunderbird client doesnt work with 143 port and STARTTLS. is this general issue or have we config error?

thanks in advance

Selçuk YAZAR


Reply | Threaded
Open this post in threaded view
|

Re: openssl question

Joseph Tam-2

> but i try to this command
>
> openssl s_client -connect mail.mydomain:pop3s -starttls imap
>
> it says CONNECTED and hang. second command is correct?

Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as
IMAP/SSL (or whatever the hell the terminology is nowadays).

If you're testing IMAP, try one or the other or both depending
of how many flavours of SSL you got going.

  openssl s_client -starttls imap -connect mail.mydomain:143
  openssl s_client -connect mail.mydomain:993

Joseph Tam <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: openssl question

selcukyazar
Ok, i understand the difference.

openssl s_client -starttls imap -connect mail.mydomain:143
openssl s_client -connect mail.mydomain:993

these command runs as expected. 

i know this forum isn2T about thunderbird  but, when setup account in thunderbird 993 port and with SSL, 
i see this line on dovecot.log 

TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher


our dovecot (2.0.9 on redhat) 10-ssl.conf file we have

ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3

settings. 

this settings is correct for dovecot ? if they correct , can we say there is problem for thunderbird ? :)

thanks in advance


On Tue, Jan 9, 2018 at 3:59 AM, Joseph Tam <[hidden email]> wrote:

but i try to this command

openssl s_client -connect mail.mydomain:pop3s -starttls imap

it says CONNECTED and hang. second command is correct?

Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays).

If you're testing IMAP, try one or the other or both depending
of how many flavours of SSL you got going.

        openssl s_client -starttls imap -connect mail.mydomain:143
        openssl s_client -connect mail.mydomain:993

Joseph Tam <[hidden email]>



--
Reply | Threaded
Open this post in threaded view
|

Re: openssl question

Ryan Beethe
In reply to this post by Joseph Tam-2
> our dovecot (2.0.9 on redhat) 10-ssl.conf file we have
>
> ssl_cipher_list =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!
> aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3
>
> settings. 
>
> this settings is correct for dovecot ? if they correct , can we say there is
> problem for thunderbird ? :)

I think you should fix your dovecot cipher list using the guidance from
Mozilla's security team:

    https://wiki.mozilla.org/Security/Server_Side_TLS

If your server is accessible from the web, you can run this test (it
gives you very helpful advice for configuring your cipherlist):

    https://www.htbridge.com/ssl

You can also test your setup with the script from this site (you will
have to download some files but you can run it even if your server is
not connected to the internet).

    https://testssl.sh/

Ryan
Reply | Threaded
Open this post in threaded view
|

Re: openssl question

Joseph Tam-2
In reply to this post by selcukyazar

> TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> our dovecot (2.0.9 on redhat) 10-ssl.conf file we have
>
> ssl_cipher_list =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3

Offhand, I don't know of a fast way to match up client cipher specs
and server cipher specs.  The hard part is trying to figure out what
the client is doing.  Maybe you can turn on dovecot "verbose_ssl = yes"
and that will dump SSL diagnostics logs to point out where server/client
cipher negotiations fail.

You can also try and run "openssl s_server -cipher 'kEECDH:+...'" on an
alternate port/host, point your client at it, and let this utility dump
out the SSL cipher negotions.

Joseph Tam <[hidden email]>