TLS_CIPHER_LIST and TLS_PROTOCOL Ignored
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
courier (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
No matter what you put in TLS_CIPHER_LIST and/or TLS_PROTOCOL the settings are ignored.
There is no way to limit the TLS Protocol or Cipher list in courier imap or pop. This is critical for PCI compliance. Older versions would allow you to manipulate the tls_cipher_list to get the desired effects.
The only setting that seem to change the protocols now is the TLS_DHPARAMS setting. If it is blank you will loose some protocols naturally.
A PCI scan will result in the following errors on a 18.04 server:
IMAP (993/tcp) Early TLS Protocol Detection
IMAP (993/tcp) SSL 64-bit Block Size Cipher Suites Supported (SWEET32) CVE-2016-2183
IMAP (993/tcp) SSL Medium Strength Cipher Suites Supported
IMAP (993/tcp) Sweet32 Birthday Attack CVE-2016-2183
IMAP (993/tcp) TLS Version 1.0 Protocol Detection
The same applies to POP
A quick way to enumerate the ciphers/protocols currently active:
nmap --script ssl-enum-ciphers -p 993 mail.yourserver.com
information type: | Private Security → Public |
Now that courier is compiled with gnutils instead of openssl the only setting in pop3d-ssl or imapd-ssl that will limit the ciphers or protocols is the setting TLS_PRIORITY. "SECURE128: +SECURE192: -VERS-ALL: +VERS-TLS1. 2" pop3d-ssl "$TLS_PRIORITY" --list
Example: TLS_PRIORITY=
You can test pop with:
nmap --script ssl-enum-ciphers -p 995 localhost
. /etc/courier/
gnutls-cli --priority=