Thomas Preissler:
ssl_protocols = !SSLv3 !SSLv2
that disable SSLv3
When I enable verbose_ssl I get this:
2015-03-15 08:27:39 imap-login: Warning: SSL: where=0x2001,
ret=1: SSLv3 flush data [$CLIENTIP]
...
Is this right? Is SSLv3 used on this connection?
The logging is right, but SSLv3 isn't used.
Today it's not uncommon that application /log/ SSLv3, where they /mean/ TLS1.x
Some days ago where TLSv1 became available there wasn't a great
difference between SSLv3 and TLSv1
So Developers reused large portions of code. That's what you see here..
But when I explicitely test for SSLv3 support I get
$ openssl s_client -connect $SERVERIP:993 -ssl3
CONNECTED(00000003)
140683835029160:error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1260:SSL alert number 40
140683835029160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:598:
That is the ultimate prove your server have SSLv3 disabled.
Andreas
