サイラスimapdとSSL

サイラスimapdとSSL

Fedora() で実行される IMAP サーバーは、cyrus-imapd-2.4.18-1.fc23.i686次のように構成されています。

$ cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

userdeny_db: flat

tls_cert_file: /etc/pki/tls/certs/corti.li.crt
tls_key_file: /etc/pki/tls/private/corti.li.key
# Chain
tls_ca_file: /etc/pki/tls/certs/COMODORSA.crt

#tls_cipher_list: HIGH
#tls_cipher_list: TLSv1:SSLv3:!SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH:!ADH
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

すべてが完璧です。現在CentOS 7()に移行していますが、cyrus-imapd-2.4.17-8.el7_1.x86_64同じ設定を使用すると、サーバーはまだSSLv2および低レベルのパスワードとの接続を許可します。

$ ./testssl.sh --color 0 new.corti.li:993 
[...]
 further IP addresses:   2a01:4f8:c17:3bac::2
 rDNS (138.201.94.195):  static.195.94.201.138.clients.your-server.de.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

ログにエラーは表示されません。理由をご存知ですか?

    tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

無視される?

編集する

Fedoraシステムの同じ設定は、SSLv3なしで次のものを生成します。

$ ./testssl.sh --color 0 corti.li:993 
[...]
 further IP addresses:   2a01:4f8:d13:f44::2
 rDNS (78.47.122.114):   corti.li.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

関連情報