Ubuntu
courier package

TLS_CIPHER_LIST and TLS_PROTOCOL Ignored

Bug #1808649 reported by Gerald Drouillard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
courier (Ubuntu)
New
Undecided
Unassigned

Bug Description

No matter what you put in TLS_CIPHER_LIST and/or TLS_PROTOCOL the settings are ignored.

There is no way to limit the TLS Protocol or Cipher list in courier imap or pop. This is critical for PCI compliance. Older versions would allow you to manipulate the tls_cipher_list to get the desired effects.

The only setting that seem to change the protocols now is the TLS_DHPARAMS setting. If it is blank you will loose some protocols naturally.

A PCI scan will result in the following errors on a 18.04 server:
IMAP (993/tcp) Early TLS Protocol Detection
IMAP (993/tcp) SSL 64-bit Block Size Cipher Suites Supported (SWEET32) CVE-2016-2183
IMAP (993/tcp) SSL Medium Strength Cipher Suites Supported
IMAP (993/tcp) Sweet32 Birthday Attack CVE-2016-2183
IMAP (993/tcp) TLS Version 1.0 Protocol Detection

The same applies to POP

A quick way to enumerate the ciphers/protocols currently active:
nmap --script ssl-enum-ciphers -p 993 mail.yourserver.com

Gerald Drouillard (gerald-drouillard)
information type: Private Security → Public
Revision history for this message
Gerald Drouillard (gerald-drouillard) wrote :

Now that courier is compiled with gnutils instead of openssl the only setting in pop3d-ssl or imapd-ssl that will limit the ciphers or protocols is the setting TLS_PRIORITY.
Example: TLS_PRIORITY="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
You can test pop with:
nmap --script ssl-enum-ciphers -p 995 localhost
. /etc/courier/pop3d-ssl
gnutls-cli --priority="$TLS_PRIORITY" --list

Revision history for this message
Szépe Viktor (szepe.viktor) wrote : Re: [Bug 1808649] Re: TLS_CIPHER_LIST and TLS_PROTOCOL Ignored

Idézem/Quoting Gerald Drouillard <email address hidden>:

> Now that courier is compiled with gnutils instead of openssl the
> only setting in pop3d-ssl or imapd-ssl that will limit the ciphers
> or protocols is the setting TLS_PRIORITY.
> Example: TLS_PRIORITY="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
> You can test pop with:
> nmap --script ssl-enum-ciphers -p 995 localhost
> . /etc/courier/pop3d-ssl
> gnutls-cli --priority="$TLS_PRIORITY" --list

Yes, see
https://github.com/szepeviktor/debian-server-tools/tree/master/mail/courier-check
it is called "Priority Strings"

SZÉPE Viktor, honlap üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
ügyelet/hotline: +36-20-4242498 <email address hidden> skype: szepe.viktor
Budapest, III. kerület

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.