Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)
Gracias Alberto. Now it's solved (it has been a little bit tricky).
My final config:
* /etc/imapd.conf
tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
* /etc/ssl/openssl.cnf
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2
Still don't know how to fix the "Has server cipher order? no (NOT
ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh).
Cheers,
-r
El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribió:
> Hi,
>
> It's probably due to new defaults in libssl.
> Try adding:
> MinProtocol = None
> CipherString = DEFAULT
> To:
> /etc/ssl/openssl.cnf
>
> Regards,
>
> Alberto
>
> On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:
>> Hi,
>>
>> I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
>> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
>> they're not recommended but I need them for older clients). I tried
>> several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
>> (even very permisive combinations) with no success.
>>
>> Any idea what's happening?
>>
>> I'm not sure whether it's really a Cyrus issue or some other kind of
>> hardening feature in Buster. In that last regard, I also modified
>> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
>> I think this setting is only for client programs like Curl. But seeing
>> that config I tend to think that Buster may have other tweaks against
>> older protocols like TLSv1.{0,1} and one of them may be impacting my setup.
>>
>> Cheers,
>>
>> -r
>>
Reply to: