[openssl-users] Getting info on the ciphers supported by a client

Jakob Bohm jb-openssl at wisemo.com
Tue Mar 10 14:24:18 UTC 2015


On 09/03/2015 14:13, Waldin wrote:
> Am 08.03.2015 um 09:14 schrieb Waldin:
>
>> Now, I also want to check ciphers enabled in (mobile) mail clients.
>> I've tried to make OpenSSL listen on port 110 (for POP with TLS) and
>> redirected the client to the OpenSSL server.  But when trying to pull
>> mail I can't see any handshake information:
> FTR, I've now managed to check my mobile mail client.  The hint was the
> argument to the s_client command's -starttls option, which made me
> realize that for handshaking with starttls a minimum understanding of
> the protocol is needed.  OpenSSL probably doesn't include a POP or IMAP
> server.  But it works without starttls, when listening on port 993:
>
>>> openssl s_server -cert public.pem -key ca-key.pem -accept 993
>> Enter pass phrase for ca-key.pem:
>> Loading 'screen' into random state - done
>> Using default temp DH parameters
>> ACCEPT
>> -----BEGIN SSL SESSION PARAMETERS-----
>> MFUCAQECAgMBBAIAOQQABDAM5TDoa/9vlS6pUsqtlPWpgpMc1L7bvwCS5UGiIhut
>> 13A4uf0Zm8T2/q3ULkxnkPKhBgIEVP2ataIEAgIBLKQGBAQBAAAA
>> -----END SSL SESSION PARAMETERS-----
>> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3
>> -SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES
>> 128-SHA:IDEA-CBC-SHA:RC4-SHA
>> CIPHER is DHE-RSA-AES256-SHA
>> Secure Renegotiation IS NOT supported
>> ~A1 LOGIN "MYLOGIN" "MYPASSWORD"
>> ERROR
>> shutting down SSL
>> CONNECTION CLOSED
>> ACCEPT
> Hurray!  But wait, a plain text password?  And no server certificate
> pinning?  Oh, no!
Yep, that is essentially what the e-mail protocols allowin
most real world scenarios.  Note however that the password
is SSL/TLS encrypted, which is why some mail clients and
servers are quite insistant on having that enabled.  For
example, the usual configuration of the e-mail servers
recommended by the Debian distribution (exim SMTP and courier
POP3/IMAP), the default configuration is for the server to
not even ask for a password until SSL/TLS is active, the only
thing a client can do in plaintext is to ask for STARTTLS, or
deliver remote mail (which obviously doesn't require a password).

But at least the client should refuse if the certificate does
not match the DNS name or IP address it was trying to contact
(not to be confused with whatever name the server returns in
protocol messages such as the SMTP banner).

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list