Public bug reported:
No matter what you put in TLS_CIPHER_LIST and/or TLS_PROTOCOL the
settings are ignored.
There is no way to limit the TLS Protocol or Cipher list in courier imap
or pop. This is critical for PCI compliance. Older versions would
allow you to manipulate the tls_cipher_list to get the desired effects.
The only setting that seem to change the protocols now is the
TLS_DHPARAMS setting. If it is blank you will loose some protocols
naturally.
A PCI scan will result in the following errors on a 18.04 server:
IMAP (993/tcp) Early TLS Protocol Detection
IMAP (993/tcp) SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
CVE-2016-2183
IMAP (993/tcp) SSL Medium Strength Cipher Suites Supported
IMAP (993/tcp) Sweet32 Birthday Attack CVE-2016-2183
IMAP (993/tcp) TLS Version 1.0 Protocol Detection
The same applies to POP
A quick way to enumerate the ciphers/protocols currently active:
nmap --script ssl-enum-ciphers -p 993 mail.yourserver.com
** Affects: courier (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1808649
Title:
TLS_CIPHER_LIST and TLS_PROTOCOL Ignored
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1808649/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
