I was following a discussion on another server platform I use, and an issue about TLS and accepted ciphers and protocols… When I decided to investigate what protocols and ciphers my Nethserver advertises:
[root@neth ~]# nmap --script ssl-enum-ciphers -p 465 127.0.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2015-06-17 07:44 CDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| SSLv3
| Ciphers (30)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_DHE_RSA_WITH_SEED_CBC_SHA
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_DH_anon_WITH_AES_128_CBC_SHA
| TLS_DH_anon_WITH_AES_256_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
| TLS_DH_anon_WITH_RC4_128_MD5
| TLS_DH_anon_WITH_SEED_CBC_SHA
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_RC4_128_SHA
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA
| TLS_ECDH_anon_WITH_RC4_128_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_RSA_WITH_IDEA_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| TLS_RSA_WITH_SEED_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.0
| Ciphers (30)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_DHE_RSA_WITH_SEED_CBC_SHA
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_DH_anon_WITH_AES_128_CBC_SHA
| TLS_DH_anon_WITH_AES_256_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
| TLS_DH_anon_WITH_RC4_128_MD5
| TLS_DH_anon_WITH_SEED_CBC_SHA
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_RC4_128_SHA
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA
| TLS_ECDH_anon_WITH_RC4_128_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_RSA_WITH_IDEA_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| TLS_RSA_WITH_SEED_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.1
| Ciphers (30)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_DHE_RSA_WITH_SEED_CBC_SHA
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_DH_anon_WITH_AES_128_CBC_SHA
| TLS_DH_anon_WITH_AES_256_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
| TLS_DH_anon_WITH_RC4_128_MD5
| TLS_DH_anon_WITH_SEED_CBC_SHA
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_RC4_128_SHA
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA
| TLS_ECDH_anon_WITH_RC4_128_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_RSA_WITH_IDEA_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| TLS_RSA_WITH_SEED_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.2
| Ciphers (46)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_DHE_RSA_WITH_SEED_CBC_SHA
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_DH_anon_WITH_AES_128_CBC_SHA
| TLS_DH_anon_WITH_AES_128_CBC_SHA256
| TLS_DH_anon_WITH_AES_128_GCM_SHA256
| TLS_DH_anon_WITH_AES_256_CBC_SHA
| TLS_DH_anon_WITH_AES_256_CBC_SHA256
| TLS_DH_anon_WITH_AES_256_GCM_SHA384
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
| TLS_DH_anon_WITH_RC4_128_MD5
| TLS_DH_anon_WITH_SEED_CBC_SHA
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| TLS_ECDHE_RSA_WITH_RC4_128_SHA
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA
| TLS_ECDH_anon_WITH_RC4_128_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_AES_256_GCM_SHA384
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_RSA_WITH_IDEA_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| TLS_RSA_WITH_SEED_CBC_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
When I look at the Apache config, it disables SSLv3. Shouldn’t our mail server also disable SSLv3? I understand these are probably provided upstream, but just wondering…
Cheers!
Jeff