cyrus default config includes insecure SSLv2

Thanks for using Ubuntu and reporting a bug. cyrus-imapd-2.2 is compiled to use openssl, but openssl in Ubuntu uses the no-ssl2 configure option, so even though the cipher list reports these, they should not work. While it would be less confusing to adjust cyrus-imapd-2.2 to not report this, this is not a change we would want to carry in Ubuntu without it also bing in Debian. I am going to close this bug as "Invalid" since cyrus should not actually use sslv2. If this is in error, please feel free to reopen the bug. If you feel strongly that this should be fixed, please file a bug with Debian and Ubuntu will get the change automatically as part of our development process. Thanks again!

Thank you, apparently cyrus still allows an SSLv2 connection despite Ubuntu's openssl configured options. I can file a bug upstream to Debian, perhaps is best?

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid

With SSLv2 in imapd.conf tls options it allows sslv2 connection over imaps:

$ openssl s_client -connect 173.230.156.66:993 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 CN = li166-66.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li166-66.members.linode.com
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBwzCCASwCCQDq0eIRQD71bTANBgkqhkiG9w0BAQUFADAmMSQwIgYDVQQDExts
aTE2Ni02Ni5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTAwNzI0MjAwOTE0WhcNMjAw
NzIxMjAwOTE0WjAmMSQwIgYDVQQDExtsaTE2Ni02Ni5tZW1iZXJzLmxpbm9kZS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOOxaSrBkgHACSBgKtZOECOH
s5VwnUfdghEJrgtmyqeUw78pNZX/wq3BGnmkUsB+cYd+YNMbdkxAHjMTi21u+/T3
Id7tjSDNzLIop4joUUdUkmIxZqp+8RmOq0+6FHTAF761qBr3Mgc64G96ToiGZopv
9Uo5adbdcfgCbA71u+zZAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA1vgLRRsL7Mmp
oVadISEvjWrV/eePuW2ylWi9NQJua863ouwObN6GKRs+nIaPESc6hSIcGs2zOXIm
1e/eGyqYzQVUZDvKT11TKQp3SioYLwatjwpftM8sRykqSNZgiUSwxa3Q9vS/ZzbQ
wILdu9Dk8yCkDVPbbZK087oSfHIFbvw=
-----END CERTIFICATE-----
subject=/CN=li166-66.members.linode.com
issuer=/CN=li166-66.members.linode.com
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 RC2-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 579 bytes and written 239 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : SSLv2
    Cipher : DES-CBC3-MD5
    Session-ID: 91A4A83A02BBB6A2BC60A56404E66619
    Session-ID-ctx:
    Master-Key: 33156C13CA7E84DCD37A174D148333675CCDC90038E0C97A
    Key-Arg : 792CAE9519F74E9F
    PSK identity: None
    PSK identity hint: None
    Start Time: 1323986488
    Timeout : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK li166-66 Cyrus IMAP4 v2.2.13-Debian-2.2.13-19squeeze2build0.10.04.1 server ready

With SSLv2 taken out of imapd.conf tls options sslv2 is not allowed:

$ openssl s_client -connect 173.230.156.66:993 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 CN = li166-66.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li166-66.members.linode.com
verify return:1
140735126120892:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

This all came about from a third party scanning vendor (Qualys) which identified my port 993 allowing SSLv2. Regards,

Marking invalid. Looks like this is user error on my behalf.

Default config does _not_ include SSLv2.

default:

tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

Still mysterious that cyrus can be made to accept SSLv2 connections despite openssl compile time options.