SYSTEM INFORMATION:
OS: CentOS 7
Cyrus-Imap: RPM = cyrus-imapd-2.4.17-15.el7.x86_64
TLS CONFIGURATION:
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: HIGH:!aNULL:!eNULL:!LOW:!MD5:!EXPORT:!DES:!3DES:!RC4:@STRENGTH
tls_prefer_server_ciphers: 1
tls_versions: tls1_2
tls_prefer_server_ciphers: 1
tls_versions: tls1_2
#tls_versions: tls1_0 tls1_1 tls1_2
PROBLEM:
When I attempt to login using cyradm I get SSL/TLS errors. The only way I have been able to get this to work was to enable TLS version 1.0. Security team won't allow less than TLS1.2 and I am not able to move to a newer OS at this time. Is there a way to get it working on CentOS 7 with TLSv1.2 or later? Maybe I need different ciphers?
If I uncomment the last line I am able to connect and login.
tls_versions: tls1_0 tls1_1 tls1_2
ERRORS:
:~$ cyradm --user cyrus --tlskey --auth plain localhost
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]
LOGS: With only TLSv1.2 enabled
imap[]: STARTTLS negotiation failed: localhost [127.0.0.1]
LOGS: With TLSv1.0 enabled
imap[]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
Any assistance is appreciated.
--Ez
