사이러스 imapd 및 SSL

tag-icon tag-icon ssl imap
사이러스 imapd 및 SSL

Fedora()에서 실행되는 IMAP 서버가 cyrus-imapd-2.4.18-1.fc23.i686다음과 같이 구성되어 있습니다.

$ cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

userdeny_db: flat

tls_cert_file: /etc/pki/tls/certs/corti.li.crt
tls_key_file: /etc/pki/tls/private/corti.li.key
# Chain
tls_ca_file: /etc/pki/tls/certs/COMODORSA.crt

#tls_cipher_list: HIGH
#tls_cipher_list: TLSv1:SSLv3:!SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH:!ADH
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

모든것이 완벽 해. 현재 CentOS 7( )로 마이그레이션 중이지만 cyrus-imapd-2.4.17-8.el7_1.x86_64동일한 구성을 사용하면 서버가 여전히 SSLv2 및 저수준 암호와의 연결을 허용합니다.

$ ./testssl.sh --color 0 new.corti.li:993 
[...]
 further IP addresses:   2a01:4f8:c17:3bac::2
 rDNS (138.201.94.195):  static.195.94.201.138.clients.your-server.de.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

로그에 오류가 표시되지 않습니다. 이유를 아시나요?

    tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

무시당하다?

편집하다

Fedora 시스템의 동일한 설정은 SSLv3 없이 다음을 생성합니다.

$ ./testssl.sh --color 0 corti.li:993 
[...]
 further IP addresses:   2a01:4f8:d13:f44::2
 rDNS (78.47.122.114):   corti.li.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

관련 정보