# Disabling SSL3 in courier-imap

## basiaf

In the course of revising and verifying my ssl settings I came across courier-imap (4.16.2) still accepting SSL3 connections. I'm using the lastest openssl (1.0.2g-r1) and checked the connections with

```
openssl s_client -connect localhost:993 -ssl3
```

I tried various settings in /etc/courier-imap/imapd-ssl for TLS_PROTOCOL (=TLS1, = TLS1:!SSL3, =TLSv1.2,...) and restarting the service upon change, but it seems the settings are ignored. I also tried disabling the SSL3 ciphers in TLS_CIPHER_LIST.

Can anybody verify this problem or point me in the right direction?

----------

## gkmac

 *basiaf wrote:*   

> ...and restarting the service upon change...

 I don't use courier-imap anymore, but I remember it had multiple services for each connection type such as courier-pop3d which was the one I used.

Each of those services depended on another service called courier-authlib. Check that you're restarting that one as well.

----------

## basiaf

Yes, I restarted that service during my tests. I don't know if this is gentoo specific, as the same config seems to work fine on a debian system. I'll check back on that tomorrow.

----------

## Duncan Mac Leod

 *basiaf wrote:*   

> In the course of revising and verifying my ssl settings I came across courier-imap (4.16.2) still accepting SSL3 connections. I'm using the lastest openssl (1.0.2g-r1) and checked the connections with
> 
> ```
> openssl s_client -connect localhost:993 -ssl3
> ```
> ...

 

http://disablessl3.com/#courier

----------

## basiaf

Yes, that was one of the first things I checked. Everything is in order. Same config works fine on a debian system.

```
SSLPORT=993

SSLADDRESS=0

SSLPIDFILE=/var/run/imapd-ssl.pid

SSLLOGGEROPTS="-name=imapd-ssl -facility=mail"

IMAPDSSLSTART=NO

IMAPDSTARTTLS=YES

IMAP_TLS_REQUIRED=1

COURIERTLS=/usr/sbin/couriertls

TLS_STARTTLS_PROTOCOL=TLS1

TLS_CIPHER_LIST="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!DSS"

TLS_DHPARAMS=/etc/courier-imap/dh2048.pem

...
```

----------

