On 09/03/2015 14:13, Waldin wrote: > Am 08.03.2015 um 09:14 schrieb Waldin: > >> Now, I also want to check ciphers enabled in (mobile) mail clients. >> I've tried to make OpenSSL listen on port 110 (for POP with TLS) and >> redirected the client to the OpenSSL server. But when trying to pull >> mail I can't see any handshake information: > FTR, I've now managed to check my mobile mail client. The hint was the > argument to the s_client command's -starttls option, which made me > realize that for handshaking with starttls a minimum understanding of > the protocol is needed. OpenSSL probably doesn't include a POP or IMAP > server. But it works without starttls, when listening on port 993: > >>> openssl s_server -cert public.pem -key ca-key.pem -accept 993 >> Enter pass phrase for ca-key.pem: >> Loading 'screen' into random state - done >> Using default temp DH parameters >> ACCEPT >> -----BEGIN SSL SESSION PARAMETERS----- >> MFUCAQECAgMBBAIAOQQABDAM5TDoa/9vlS6pUsqtlPWpgpMc1L7bvwCS5UGiIhut >> 13A4uf0Zm8T2/q3ULkxnkPKhBgIEVP2ataIEAgIBLKQGBAQBAAAA >> -----END SSL SESSION PARAMETERS----- >> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3 >> -SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES >> 128-SHA:IDEA-CBC-SHA:RC4-SHA >> CIPHER is DHE-RSA-AES256-SHA >> Secure Renegotiation IS NOT supported >> ~A1 LOGIN "MYLOGIN" "MYPASSWORD" >> ERROR >> shutting down SSL >> CONNECTION CLOSED >> ACCEPT > Hurray! But wait, a plain text password? And no server certificate > pinning? Oh, no! Yep, that is essentially what the e-mail protocols allowin most real world scenarios. Note however that the password is SSL/TLS encrypted, which is why some mail clients and servers are quite insistant on having that enabled. For example, the usual configuration of the e-mail servers recommended by the Debian distribution (exim SMTP and courier POP3/IMAP), the default configuration is for the server to not even ask for a password until SSL/TLS is active, the only thing a client can do in plaintext is to ask for STARTTLS, or deliver remote mail (which obviously doesn't require a password). But at least the client should refuse if the certificate does not match the DNS name or IP address it was trying to contact (not to be confused with whatever name the server returns in protocol messages such as the SMTP banner). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded