--On 6. Juli 2015 13:38:16 -0700 Andrew Morgan <morgan@xxxxxxxx> wrote:
On Mon, 6 Jul 2015, Sebastian Hagedorn wrote:--On 6. Juli 2015 14:23:11 +1000 ellie timoney <ellie@xxxxxxxxxxxx> wrote:Please consult the release notes before upgrading to 2.4.18: https://docs.cyrus.foundation/imap/release-notes/2.4-current.htmlThe big one is this: "Disable use of SSLv2/SSLv3" When I look at our log files, I see that there are still several hundred SSLv3 connections per day. I'm worried that not all clients used by our users support TLSv1. One such client appears to be Outlook 2003. Has anybody else (especially in education) already turned off SSLv3? What were your experiences?I had similar concerns when I was making SSLv3 and cipher changes to my LDAP service. I wanted to proactively identify any clients that would be affected so we could fix them in advance. I used tshark to sniff the ciphers for all my incoming connections, but you can also get the TLS version used from the output. I wrote it up in a blog post here: http://blogs.oregonstate.edu/sysadmin/2015/07/01/tracking-ssltls-cipher-u sage/
Thanks for your reply! Our Cyrus server is still running RHEL 5, and its tshark binary doesn't yet support the "-2" flag. I see that it's supposed to "Perform a two-pass analysis", but I'm unclear on why that is useful or even necessary? I removed the flag for my tests, and at first glance it still seems to work. FWIW, I had to modify the pattern matching in the Perl script, because in our instance there are two tabs before the first IP address.
Cheers
Sebastian
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.Attachment:
p7sFPje9c8O0S.p7s
Description: S/MIME cryptographic signature
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
