So, some time ago I had to admit that I needed TLSv1, well time marches on, and I started to look at SSL settings again (largely because my SSL certificate expired, and I needed to replace it, so why not review the SSL settings). As well as this website I use SSL for my email (there are people who will criticize me for using explicit SSL ports instead of STARTTLS over the normal ports, but I am more comfortable with using the explicit ports) both authenticated SMTP, and IMAP (sending and receiving). Now last time I neglected to review the settings for these, so I have in fact been running SSLv3 for all this time on those ports. This is bad, I have turned it off, or at least I would have, if not for an odd bug in my mail client on my computer. Thunderbird, it would seem, does not like TLSv1.2 for IMAP (works fine for SMTP mind, just not IMAP). Now I have further investigation to do, but it is annoying me immensely especially as it works for SMTP over SSL. It also annoys me that various attempts I have made to alter the SSL Cipher Suite that my IMAP server uses has either restricted it to just TLSv1.2 or not restricted it at all, so I don't know if Thunderbird is breaking without SSLv3, and really crap, or if it is breaking on TLSv1.2 (and just slightly crap).

Well I do know what I'll be doing this weekend, looking for a different email client.

I've decided not to change the SSL settings on my website for now, as dropping support for TLSv1 would block quite a different web clients (something that didn't bother me last time).

posted at 9:25 pm on 28 Oct 2015 by Craig Stewart

Tags:sysadmin web email ssl security embarrassing