我试图在Linux上的Courier中禁用SSLv2支持(除其他外)。 在/ etc / courier / imapd-ssl中我有:
TLS_CIPHER_LIST="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:!ADH:@STRENGTH:!3DES" TLS_PROTOCOL=TLS1 TLS_STARTTLS_PROTOCOL=TLS1 这在imaps(993 / tcp)上很好地工作:
# openssl s_client -connect localhost:995 -ssl2 CONNECTED(00000003) write:errno=104
但是对于143 / tcp上的STARTTLS,似乎仍然允许SSLv2:
openssl s_client -connect localhost:143 -starttls imap -ssl2 CONNECTED(00000003)
相比之下:
openssl s_client -connect localhost:143 -starttls imap -ssl3 CONNECTED(00000003) 140692334688072:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 549 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1492550234 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
所以在我看来,SSLv2在143上使用STARTTLS时仍然是启用的