TLS1.0 and 1.1 with Cyrus (Debian Buster)

To: debian-security@lists.debian.org
Subject: TLS1.0 and 1.1 with Cyrus (Debian Buster)
From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
Date: Fri, 8 May 2020 21:07:31 +0200
Message-id: <[🔎] 34922da8-3e5b-dc6e-5401-97ff7073340b@rs-labs.com>

Hi,

I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
(imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
they're not recommended but I need them for older clients). I tried
several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
(even very permisive combinations) with no success.

Any idea what's happening?

I'm not sure whether it's really a Cyrus issue or some other kind of
hardening feature in Buster. In that last regard, I also modified
/etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
I think this setting is only for client programs like Curl. But seeing
that config I tend to think that Buster may have other tweaks against
older protocols like TLSv1.{0,1} and one of them may be impacting my setup.

Cheers,

-r

Reply to:

Follow-Ups:
- Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)
  - From: Alberto Gonzalez Iniesta <agi@inittab.org>

Prev by Date: Re: rkhunter finds something suspicious
Next by Date: Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)
Previous by thread: Re: rkhunter finds something suspicious
Next by thread: Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)
Index(es):
- Date
- Thread