Link to home
Start Free TrialLog in
Avatar of alezol
alezol

asked on

Disable SSLv2 and weak ciphers in UW-IMAP server

Hi everybody,

I'm using UW-IMAP installed on Solaris 10.
The nessus scan detects SSLv2 and weak ciphers on ports 993 and 143, PCI compliance requires SSLv3.
I searched the web on how to disable weak ciphers alone with SSLv2 on my IMAP server, there is some info available for other applications and even for some IMAP servers but not for my version, which is uw-imap-2006a, as I could not find any config files to edit ..., this version doesn't use imapd.conf for example.

Thank you,
Avatar of arnold
arnold
Flag of United States of America image

It is likely part of the OpenSSL.conf  where you would disable the ciphers.
http://stackoverflow.com/questions/3775836/disable-weak-ciphers-in-ssl-connection
Presumes uw-imap was not statically compiled
http://www.mentby.com/Group/openssl-users/disabling-sslv2.html
Alternatively, provided you are familiar with the risk and your openssl is up to date, the impact of SSLv2for email retrieval is a limited exposure.

Is an update/switch to an alternate IMAP server an option/under consideration?
Avatar of alezol
alezol

ASKER

Thank you,
In the first link they are talking about SSL_CTX_set_cipher_list, is that function, where should I use it, is that could be part of openssl.cnf? I'm still not clear if it possible to use openssl to disable weak ciphers and sslv2, there are examples on how to list/view, test, create keys and certificates, but I could not find any, where you could disable sslv2 or weak ciphers system-wide by just using openssl with any arguments...
It is not using openssl, you need to edit openssl.conf and exclude the sslv2 from there

http://www.openssl.org/docs/apps/ciphers.html
Avatar of alezol

ASKER

Are the weak ciphers detected because of the keys used with the certificates have a weak encryption and the SSLv2. Would the recreating of these certificates with new upgraded version of openSSL solve the problem?
OK, let’s pretend I know what to put in openssl.cnf file to prevent weak ciphers and SSLv2. The file itself as I believe is used to be read by openssl during the key and certificate generation. Is the next step just to recreate keys, then request new certificates. If that is the case, should all of the certificate bundle to be recreated, like CA root, intermediate, and so on, I'm not even sure if I'm on the right way, not an expert in this aria...

Thanks again for your help!
No the options are available to the client that initiates the connection which is why PCI generates the error.

I.e. You speak three languages A, B, and C.
Your employer says one A and C can be used.
The employer hires a firm to test that everyone conforms to the rules of only using A and C to talk.
The firm Places a Call with intent to use Langauge B. You answer the call and hear the person speaking using Language B.  By your employer rules, you should only use A or C when answering the call. I.e. anything other than A or C should receive a response in A and C: "Speack A?" "Speak C?"
You on the other hand as a fluent speaker of B, answer speaking B.  The report from this firm to your employer would be that there is a non compliant responder on the phone who answers the call in B.

This is what the PCI test is.  It has the option to initiate the connection and present what means of communication it wants to establish a connection to your server. Your server has to be configured such that the SSLv2 options are unavailable.

On Solaris, look for /etc/ssl/openss.cnf

See whether an option to transition to another IMAP server that provides the option to configure an exclusion/inclusion of specific SSL options is available.
Courier-Imap is a lighter/less resource intensive compared to the UW-IMAP (IMHO).

If you are using Maildir/ format for message storage, the transition from one to the other should be transparent to the user/s.
One thing you might want to consider is modifying the courier-imap code to deny deletion of the trash folder (have not looked at the code in quite some time, so it might already be there.) When I worked with Courier-Imap, the user was allowed to delete the trash folder which caused other issues.
Avatar of alezol

ASKER

Thank you,
Not an option for transition now that is why I'm looking to use an alternate option, considering one you suggested. I was looking for editing of openssl.cnf to put some configuration setting with disabling sslv2 and weak ciphers, and couldn't find any on web.
Also, I found this URL link: http://mailman2.u.washington.edu/pipermail/imap-use/2008-November.txt -- it is actual developer (Mark Crispin) of UW-IMAP answers support question on disabling SSLv2 on our IMAP type of the software. He suggests to modify "#define SSLCIPHERLIST"  in ssl_unix.c file by adding :!SSLv2.  if I put something like this #define SSLCIPHERLIST "ALL:!LOW:!SSLv2:!ADH:!NULL:!EXPORT56:!DES" it would disable SSLv2 alone with weak ciphers... If this is the solution and the c file has to be recompiled, then question is: after you recompile ssl_unix.c file, where is the actual output file going to?

Thanks again for your time!
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of alezol

ASKER

Thanks again for your help and time!
I just decided to enable IP filter firewall of Solaris and allowed only specific pool of IP addresses to go through this imaps port and that solved the problem.