This is a multi-part message in MIME format.
Wow, it works! Thank you!
" Has server cipher order? yes (OK) -- TLS 1.3 and below"
Cheers,
-r
El 09/05/2020 a las 21:53, Jonas Andradas escribió:
Hi Roman,
Did you try with the following in imapd.conf?
|tls_prefer_server_ciphers: 1|
Regards,
Jonas.
On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez,
<[email protected] <mailto:[email protected]>> wrote:
Gracias Alberto. Now it's solved (it has been a little bit tricky).
My final config:
* /etc/imapd.conf
tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
* /etc/ssl/openssl.cnf
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2
Still don't know how to fix the "Has server cipher order? no (NOT
ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).
Cheers,
-r
El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribió:
> Hi,
>
> It's probably due to new defaults in libssl.
> Try adding:
> MinProtocol = None
> CipherString = DEFAULT
> To:
> /etc/ssl/openssl.cnf
>
> Regards,
>
> Alberto
>
> On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl
Hernandez wrote:
>> Hi,
>>
>> I upgraded from Jessie to Buster (thru Stretch) and noticed
that Cyrus
>> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols
(I know
>> they're not recommended but I need them for older clients). I tried
>> several combinations of tls_ciphers and tls_versions in
/etc/imapd.conf
>> (even very permisive combinations) with no success.
>>
>> Any idea what's happening?
>>
>> I'm not sure whether it's really a Cyrus issue or some other
kind of
>> hardening feature in Buster. In that last regard, I also modified
>> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case),
although
>> I think this setting is only for client programs like Curl. But
seeing
>> that config I tend to think that Buster may have other tweaks
against
>> older protocols like TLSv1.{0,1} and one of them may be
impacting my setup.
>>
>> Cheers,
>>
>> -r
>>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Wow, it works! Thank you!<br>
</p>
<p>" Has server cipher order? yes (OK) -- TLS 1.3 and below"</p>
<p>Cheers,</p>
<p>-r<br>
</p>
<div class="moz-cite-prefix">El 09/05/2020 a las 21:53, Jonas
Andradas escribió:<br>
</div>
<blockquote type="cite" cite="mid:
CAGFMKp-dwkWx2Cz3iWiVzNGXnUkuNCMnvzPenQoq726p9VKoNA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div>Hi Roman,
<div dir="auto"><br>
</div>
<div dir="auto">Did you try with the following in imapd.conf?</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<pre style="font-family:consolas,monaco,"andale mono",monospace;font-size:13px;padding:0.9375rem;margin-top:0px;margin-bottom:10px;line-height:1.42857;color:rgb(51,51,51);background-color:rgb(245,245,245);border:1px solid rgb(237,
237,237);border-radius:0px;white-space:pre-wrap"><code style="font-family:consolas,monaco,"andale mono",monospace;font-size:inherit;padding:0px;color:inherit;background-color:transparent;border-radius:0px">tls_prefer_server_ciphers: 1</code></
</div>
<br>
Regards,</div>
<div dir="auto">Jonas.<br>
<br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">On Sat, 9 May 2020, 01:22
Roman Medina-Heigl Hernandez, <<a
href="mailto:
[email protected]" moz-do-not-send="true">
[email protected]</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Gracias
Alberto. Now it's solved (it has been a little bit
tricky).<br>
<br>
My final config:<br>
<br>
* /etc/imapd.conf<br>
tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH<br>
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3<br>
<br>
* /etc/ssl/openssl.cnf<br>
MinProtocol = TLSv1.0<br>
CipherString = DEFAULT@SECLEVEL=2<br>
<br>
Still don't know how to fix the "Has server cipher
order? no (NOT<br>
ok)" warning in testssl.sh (<a
href="
https://github.com/drwetter/testssl.sh"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">
https://github.com/drwetter/testssl.sh</a>).<br>
<br>
<br>
Cheers,<br>
-r<br>
<br>
El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta
escribió:<br>
> Hi,<br>
><br>
> It's probably due to new defaults in libssl.<br>
> Try adding:<br>
> MinProtocol = None<br>
> CipherString = DEFAULT<br>
> To:<br>
> /etc/ssl/openssl.cnf<br>
><br>
> Regards,<br>
><br>
> Alberto<br>
><br>
> On Fri, May 08, 2020 at 09:07:31PM +0200, Roman
Medina-Heigl Hernandez wrote:<br>
>> Hi,<br>
>><br>
>> I upgraded from Jessie to Buster (thru Stretch)
and noticed that Cyrus<br>
>> (imaps & pop3s) stopped negotiating TLS 1.0
and 1.1 protocols (I know<br>
>> they're not recommended but I need them for older
clients). I tried<br>
>> several combinations of tls_ciphers and
tls_versions in /etc/imapd.conf<br>
>> (even very permisive combinations) with no
success.<br>
>><br>
>> Any idea what's happening?<br>
>><br>
>> I'm not sure whether it's really a Cyrus issue or
some other kind of<br>
>> hardening feature in Buster. In that last regard,
I also modified<br>
>> /etc/ssl/openssl and set MinProtocol = TLSv1.0
(just in case), although<br>
>> I think this setting is only for client programs
like Curl. But seeing<br>
>> that config I tend to think that Buster may have
other tweaks against<br>
>> older protocols like TLSv1.{0,1} and one of them
may be impacting my setup.<br>
>><br>
>> Cheers,<br>
>><br>
>> -r<br>
>><br>
<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
</body>
</html>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)