Hello Xavier,
did you have any success disabling SSLv3? I would like to disable any
old ciphers and turn on Forward Secrecy. Do you have experience with
this and perdition?
Thank you,
Alex
From: Xavier Garcia <xavi.garcia <at> gmail.com>
Subject: Re: Disabling SSLv3
<http://news.gmane.org/find-root.php?message_id=20141031133121.GB53613%40bea…>
Newsgroups: gmane.mail.perdition.user
<http://news.gmane.org/gmane.mail.perdition.user>
Date: 2014-10-31 13:31:23 GMT (43 weeks, 1 hour and 45 minutes ago)
Hi,
AFAIK, this enables STARTTLS in the port instead of starting a
purely encrypted connection.
nc -vv imapproxy01i 993
Connection to imapproxy01i 993 port [tcp/imaps] succeeded!
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES
* MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE
* LOGIN-REFERRALS STARTTLS LOGINDISABLED] perdition ready on
* imapproxy01i 00028de7
I haven't tested but I think this may not change the list of
accepted cyphers. After reading the manual and some messages in
the list, it seems that all references to TLS in the
configuration are aiming at STARTTLS and the only way to change
the valid ciphers is with *ssl_listen_ciphers* and
*ssl_outgoing_ciphers*. Am I mistaken?
Regards,
Xavier Garcia
On Fri, Oct 31, 2014 at 02:10:42PM +0100, LE SAOUT Mael wrote:
> Hi all,
>
> I have to disable it in /etc/sysconfig/perdition :
> POP3S_FLAGS="--outgoing_port 110 --ssl_mode tls_listen,tls_listen_force"
> IMAP4S_FLAGS="--outgoing_port 143 --ssl_mode tls_listen,tls_listen_force"
>
> Hope it will help you.
>
> Regards
>
> Mael
>
> -----Message d'origine-----
> De?: perdition-users-bounces <at> vergenet.net [mailto:perdition-users-bounces <at> vergenet.net] De la
part de Xavier Garcia
> Envoy??: vendredi 31 octobre 2014 13:59
> ??: perdition-users <at> vergenet.net
> Objet?: [PERDITION-USERS] Disabling SSLv3
>
> Dear all,
>
> I am trying to disable SSLv3 on perdition 2.0-1.x86_64 It is running in a RHEL 6.5 clone and it was compiled
with the SPEC files.
>
> In theory, I should apply the following configuration but it also disables TLSv1 and TLSv1.1, being
TLSv1.2 still available.
>
> ---
> ssl_listen_ciphers "ALL:!SSLv2:!SSLv3"
> ---
>
> I don't know much about cryptography but I guess it makes sense because I obtain the same result in all my
boxes (RHEL 6.5 , Fedora and FreeBSD 10) when I execute:
>
> openssl ciphers -v 'ALL:!SSLv2:!SSLv3'
>
>
> What would be the best way to disable SSLv2 and SSLv3 for incoming and outgoing connections?
>
> Regards,
>
> Xavier Garcia
> ______________________________________________
> Perdition-users mailing list
> Perdition-users <at> vergenet.net
>http://lists.vergenet.net/listinfo/perdition-users
>
> ----
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.nethttp://lists.vergenet.net/listinfo/perdition-users
i have a system that has both ipv4 and ipv6 addresses configured in dns,
but if i use that name as the bind address for perdition, it seems to
only bind to the v6 version. for now i have hacked things by using
separate names, but i'd like to have a single name for both v4 and v6.
am i missing some obvious way to force perdition to listen to both?
Hi all,
I have following problem:
Host Ubuntu 14.04 desktop
VMs Ubuntu 14.04 desktop/server edition
VirtualBox
I have several websites running on VMs, each with its own domain/subdomain and internal IP address. But I have only one Fixed IP/External IP.
Could Perdition help me out? If YES please advise where can I find relevant document of its setup?
All VMs are Apache server running WordPress. My problem is I have only ONE Fixed IP. I can create many internal IPs on router.
Several years ago I made use of Perdition to setup several mail servers on VMs but served with only ONE Fixed IP. It worked seamlessly. All emails were delivered to their own servers. Maybe I can dig up the respective documents on my database. But I have no idea whether it also work on web-server?
Thanks
Regards
satimis
