Am 08.03.2015 um 09:14 schrieb Waldin: > Now, I also want to check ciphers enabled in (mobile) mail clients. > I've tried to make OpenSSL listen on port 110 (for POP with TLS) and > redirected the client to the OpenSSL server. But when trying to pull > mail I can't see any handshake information: FTR, I've now managed to check my mobile mail client. The hint was the argument to the s_client command's -starttls option, which made me realize that for handshaking with starttls a minimum understanding of the protocol is needed. OpenSSL probably doesn't include a POP or IMAP server. But it works without starttls, when listening on port 993: > >openssl s_server -cert public.pem -key ca-key.pem -accept 993 > Enter pass phrase for ca-key.pem: > Loading 'screen' into random state - done > Using default temp DH parameters > ACCEPT > -----BEGIN SSL SESSION PARAMETERS----- > MFUCAQECAgMBBAIAOQQABDAM5TDoa/9vlS6pUsqtlPWpgpMc1L7bvwCS5UGiIhut > 13A4uf0Zm8T2/q3ULkxnkPKhBgIEVP2ataIEAgIBLKQGBAQBAAAA > -----END SSL SESSION PARAMETERS----- > Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3 > -SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES > 128-SHA:IDEA-CBC-SHA:RC4-SHA > CIPHER is DHE-RSA-AES256-SHA > Secure Renegotiation IS NOT supported > ~A1 LOGIN "MYLOGIN" "MYPASSWORD" > ERROR > shutting down SSL > CONNECTION CLOSED > ACCEPT Hurray! But wait, a plain text password? And no server certificate pinning? Oh, no! Wald
