Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)

Sat, 09 May 2020 13:54:51 -0700 

Wow, it works! Thank you!

" Has server cipher order?     yes (OK) -- TLS 1.3 and below"

Cheers,

-r

El 09/05/2020 a las 21:53, Jonas Andradas escribió:
> Hi Roman,
>
> Did you try with the following in imapd.conf?
>
> |tls_prefer_server_ciphers: 1|
>
> Regards,
> Jonas.
>
> On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez,
> <ro...@rs-labs.com <mailto:ro...@rs-labs.com>> wrote:
>
>     Gracias Alberto. Now it's solved (it has been a little bit tricky).
>
>     My final config:
>
>     * /etc/imapd.conf
>     tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
>     tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
>
>     * /etc/ssl/openssl.cnf
>     MinProtocol = TLSv1.0
>     CipherString = DEFAULT@SECLEVEL=2
>
>     Still don't know how to fix the "Has server cipher order?     no (NOT
>     ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).
>
>
>     Cheers,
>     -r
>
>     El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribió:
>     > Hi,
>     >
>     > It's probably due to new defaults in libssl.
>     > Try adding:
>     > MinProtocol = None
>     > CipherString = DEFAULT
>     > To:
>     > /etc/ssl/openssl.cnf
>     >
>     > Regards,
>     >
>     > Alberto
>     >
>     > On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl
>     Hernandez wrote:
>     >> Hi,
>     >>
>     >> I upgraded from Jessie to Buster (thru Stretch) and noticed
>     that Cyrus
>     >> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols
>     (I know
>     >> they're not recommended but I need them for older clients). I tried
>     >> several combinations of tls_ciphers and tls_versions in
>     /etc/imapd.conf
>     >> (even very permisive combinations) with no success.
>     >>
>     >> Any idea what's happening?
>     >>
>     >> I'm not sure whether it's really a Cyrus issue or some other
>     kind of
>     >> hardening feature in Buster. In that last regard, I also modified
>     >> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case),
>     although
>     >> I think this setting is only for client programs like Curl. But
>     seeing
>     >> that config I tend to think that Buster may have other tweaks
>     against
>     >> older protocols like TLSv1.{0,1} and one of them may be
>     impacting my setup.
>     >>
>     >> Cheers,
>     >>
>     >> -r
>     >>
>

Reply via email to