| I’m trying to figure out how to make my Cyrus install to not be susceptible to the drown issue. I have tried limiting the ciphers to TLSv1.2 but haven’t had much success. What should the tld_ciper_list be? Or is this an issue with SSL? (To fix this do I need to patch the SSL libraries and rebuild SSL and Cyrus? From the imapd.conf file tls_cipher_list: TLSv1.2:!NULL:!aNULL:!eNULL:!EXPORT:!SSLv2 Thank you! Other info: nmap tells me I should be just fine: nmap --script ssl-enum-ciphers -p T:993 127.0.0.1 PORT STATE SERVICE 993/tcp open imaps | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: A But the python scanner from https://drownattack.com/ says I still have an issue. My version info: name : Cyrus IMAPD version : v2.4.17-Fedora-RPM-2.4.17-8.el7_1 d1df8aff 2012-12-01 vendor : Project Cyrus support-url: http://www.cyrusimap.org os : Linux os-version : 3.10.0-327.10.1.el7.x86_64 environment: Built w/Cyrus SASL 2.1.26 Running w/Cyrus SASL 2.1.26 Built w/Berkeley DB 5.3.21: (May 11, 2012) Running w/Berkeley DB 5.3.21: (May 11, 2012) Built w/OpenSSL 1.0.1e-fips 11 Feb 2013 Running w/OpenSSL 1.0.1e-fips 11 Feb 2013 Built w/zlib 1.2.7 Running w/zlib 1.2.7 CMU Sieve 2.4 TCP Wrappers NET-SNMP mmap = shared lock = fcntl nonblock = fcntl idle = idled |
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
