Koozali.org: home of the SME Server

ldaps !SSLv3 / imaps !rc4

Offline zeeclor

  • 16
  • +0/-0
ldaps !SSLv3 / imaps !rc4
« on: February 22, 2017, 02:40:34 AM »
Following a recent security audit it has been suggested that we harden our security on ldaps, imaps, https, smtps.

Running testssl.sh gives the errors below.

I can template out rc4 on ldaps but the dovecot conf.d directory contains multiple configuration files and there is no equivalent template directory. What is the SME Server recommended way of specifiying a ssl_cipher_list?

Also is there any "easy" way to turn off SSLv3 on ldaps?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bash testssl.sh my.server.org:636
SSLv3               offered (NOT ok)
"Medium" grade encryption    offered (NOT ok)
 POODLE, SSL (CVE-2014-3566)               VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507),             Check failed, unexpected result , run testssl.sh -Z --debug=1 and look at /tmp/ssltester.yd7R/*tls_fallback_scsv.txt
RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5

bash testssl.sh my.server.org:993

"Medium" grade encryption    offered (NOT ok)
RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): RC4-SHA RC4-MD5

bash testssl.sh my.server.org:443
Has server cipher order?     nope (NOT ok)
 
bash testssl.sh my.server.org:465
Has server cipher order?     nope (NOT ok)
 

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: ldaps !SSLv3 / imaps !rc4
« Reply #1 on: February 22, 2017, 08:12:06 AM »
Please, open a bug with all the details (and the script too)
Thank you

Offline brianr

  • *
  • 988
  • +2/-0
Re: ldaps !SSLv3 / imaps !rc4
« Reply #2 on: February 22, 2017, 12:14:00 PM »
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........