On Sat, Jan 20, 2001 at 12:28:53AM +0200, Tommi Komulainen wrote:
> > SSL connection using (NONE)
>
> This is not an error message, it's an informational message telling you
> the SSL parameters used on the connection. Seeing 'NONE' there means that
> the connection is *unencrypted*, and we all know that sending passwords
> over an unencrypted link is not a good idea. Instead of 'NONE' you should
> see something more like 'EDH-RSA-DES-CBC3-SHA' to indicate that the
> connection is secure.
When NONE is returned (actually from SSL_CIPHER_get_version() it means that
no cipher was selected at all. This means that the handshake failed. At this
point the connection should be closed. Therefore no security risk...
> There exist three different protocols, TLSv1, SSLv2, and SSLv3. To check
> each of these, you use the following:
> openssl s_client -host <imap server> -port <port> -verify -debug -no_tls1
> openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl2
> openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl3
The -verify option requires an argument specifying the maximum length of the
certificate chain. It is safe to use high number well exceeding the expected
length, say "-verify 9". Hmm, I just see that there is no check of the argument
supplied, so probably the -debug is interpreted using "atoi()" and yields
a maximum verify depth of "0".
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
PGP signature
