2023-04-14
Teaching courier-imapd-ssl to use up-to-date encryption
A discussion on irc about how hard it is to set TLS options in some programs made me recall I still wanted courier-imap-ssl to give me the right SSL settings (Only TLS 1.2 and 1.3, and no weak algorithms). This has bothered me for a while but I couldn't find the right answers. Most documentation assumes courier-imap-ssl is compiled with OpenSSL. In Debian/Ubuntu/Devuan it is compiled with GnuTLS. Searching this time found me Bug #1808649 “TLS_CIPHER_LIST and TLS_PROTOCOL Ignored” : Bugs : courier package : Ubuntu which points at debian-server-tools/mail/courier-check at master · szepeviktor/debian-server-tools · GitHub which lists the right parameter TLS_PRIORITY. And that page has usable answers for up to TLS v1.2, with some reading of the output of gnutls-cli --list I can imagine TLS v1.3 settings. So with a minor adjustment to the given example to allow for TLS v1.3 I set this in /etc/courier/imapd-ssl:
##NAME: TLS_PRIORITY:0 # # GnuTLS setting only # # Set TLS protocol priority settings (GnuTLS only) # # DEFAULT: NORMAL:-CTYPE-OPENPGP # # This setting is also used to select the available ciphers. # # The actual list of available ciphers depend on the options GnuTLS was # compiled against. The possible ciphers are: # # AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL # # Also, the following aliases: # # HIGH -- all ciphers that use more than a 128 bit key size # MEDIUM -- all ciphers that use a 128 bit key size # LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher # is not included # ALL -- all ciphers except the NULL cipher # # See GnuTLS documentation, gnutls_priority_init(3) for additional # documentation. TLS_PRIORITY="NONE:+CHACHA20-POLY1305:+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-ECDSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+COMP-NULL:+VERS-TLS1.2:+VERS-TLS1.3:+SIGN-ALL:+CURVE-SECP521R1:+CURVE-SECP384R1:+CURVE-SECP256R1:+CTYPE-X509"And now things are good! All green in sslscan:SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256 Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256 Curve P-256 DHE 256 Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) SSL Certificate: Signature Algorithm: sha256WithRSAEncryption ECC Curve Name: secp384r1 ECC Key Strength: 192To compare, the 'before' situation:SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 3072 bits Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305 DHE 3072 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 3072 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 3072 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 3072 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 3072 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 3072 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-CCM Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-CCM Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits AES128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 3072 bits Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 3072 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 128 bits AES128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 3072 bits Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 3072 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 128 bits AES128-SHA Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.3 128 bits ffdhe3072 TLSv1.3 150 bits ffdhe4096 TLSv1.3 175 bits ffdhe6144 TLSv1.3 192 bits ffdhe8192 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits x25519There were no really bad options offered (this is mostly due to GnuTLS having sane defaults) but I want my TLS settings to be a lot better than 'not really bad'.