Reputation: 285
Dovecot avoiding SHA1 TLS connection not working
I have a Dovecot backend instance where i want to avoid a custom set of ciphers to make the connection more secure. But some definitions dont work as intendet.
Different cipher suits are named in the openssl docs https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
This would be the prefered configutation that i would like to have:
ssl_cipher_list = HIGH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH:!SHA1:!CBC:!kDHE
This setup already worked with an nginx configuration. but with dovecot no ciphersuits are active if used.
If investigated a little more it seems like it is due to the definition of !SHA1
if ssl_cipher_list = !SHA1 is defined
[localhost]$ nmap --script ssl-enum-ciphers -p 20993 192.168.56.203
Starting Nmap 7.92 ( https://nmap.org ) at 2024-05-14 21:44 CEST
Nmap scan report for 192.168.56.203
Host is up (0.00072s latency).
PORT STATE SERVICE
20993/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
if ssl_cipher_list = SHA1 is defined then:
PORT STATE SERVICE
20993/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: C
The ciphersuits are tested with Nmap version 7.92
nmap --script ssl-enum-ciphers -p 20993 192.168.56.203
In the dovcot docs i also can't find something about that sha is handled differently https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
Dovecot Version 2.3.21
Upvotes: 0
Views: 55
Answers (1)
Reputation: 285
+ssl-enum-ciphers
the + enforces nmap to really check for the ciphers.
nmap --script +ssl-enum-ciphers -p 20993 127.0.0.1 -Pn
Upvotes: 0
Related Questions
- TCP/IP socket cannot establish a secure connection with TLSv1_2_client_method()
- Delayed outgoing mail in active queue
- How to identify and remove CBC ciphers in the CipherSuite?
- Arch Dovecot spamtestplus sieve not working
- Emails not arriving on dovecot/postfix (debian)
- Dovecot not working pop3 with postfix