TLS 1.0 vulnerability over 993 IMAPS

I recently ran some vulnerability tests via qualys against my cloudron setup and im showing a vulnerability with the 993 using tls 1.0. I thought 1.0 was disabled by cloudron? Is this a false alarm? IF not, is there an easy way to force tls 1.2 only?

@mastadamus Curious, what URL did you use in the Qualsys test? I assume my.<domain>.<tld>? I just ran it on that URL for mine and got an A+.

I'm still not seeing anything about TLSv1.0 enabled on the mail domain either. @Mastadamus  are you able to explain how to reproduce this test so people can check out their own instances? So far I'm not able to reproduce.

@d19dotca I used the qualys vulnerability scanner community edition. You need to create an qualys account and use the actual vulnerability scanner. Also if you are running a firewall, you may have to unblock the qualys IP if it auto blocks it when it attempts various "scans' like checking for heartbleed etc. you can sign up for here https://www.qualys.com/communityedition/

@mastadamus thanks for reporting! Initially, I thought this was a false alarm because tls1 connections don't work:
openssl s_client connect my.example.com:993 tls1 CONNECTED(00000003) 140461753824576:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:  no peer certificate available  No client certificate CA names sent  SSL handshake has read 0 bytes and written 7 bytes Verification: OK  New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) 
Investigating further, I found that s_client can also fail if there is cipher match. And doing a "scan":
$ nmap script sslenumciphers my.example.com p 993 Starting Nmap 7.80 ( https://nmap.org ) at 20210220 09:50 PST Nmap scan report for my.example.com (45.55.2.141) Host is up (0.013s latency). PORT STATE SERVICE 993/tcp open imaps  sslenumciphers:  TLSv1.0:  ciphers:  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 1024)  A  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1)  A  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096)  A  compressors:  NULL  cipher preference: client  warnings:  Key exchange (dh 1024) of lower strength than certificate key  TLSv1.1:  ciphers:  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 1024)  A  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1)  A  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096)  A  compressors:  NULL  cipher preference: client  warnings:  Key exchange (dh 1024) of lower strength than certificate key  TLSv1.2:  ciphers:  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_AES_128_CCM (dh 1024)  A  TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 1024)  A  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_CCM (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 1024)  A  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024)  A  TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024)  A  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 1024)  A  TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 1024)  A  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1)  A  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1)  A  TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp384r1)  A  TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp384r1)  A  TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp384r1)  A  TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp384r1)  A  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp384r1)  A  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096)  A  TLS_RSA_WITH_AES_128_CCM (rsa 4096)  A  TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096)  A  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096)  A  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096)  A  TLS_RSA_WITH_AES_256_CCM (rsa 4096)  A  TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096)  A  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096)  A  TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096)  A  TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096)  A  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096)  A  TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096)  A  compressors:  NULL  cipher preference: client  warnings:  Key exchange (dh 1024) of lower strength than certificate key _ least strength: A Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds
So, looks like something we have to disable in dovecot. We had disabled this in Haraka (the SMTP server) but not dovecot it seems. You can run nmap on port 587 to verify.

Ah nice, it seems the upgrade of the base image to bionic already fixed this since it comes with a newer dovecot.
$ nmap script sslenumciphers my.example.com p 993 Starting Nmap 7.80 ( https://nmap.org ) at 20210220 09:59 PST Nmap scan report for my.example.com (142.93.86.76) Host is up (0.014s latency). PORT STATE SERVICE 993/tcp open imaps  sslenumciphers:  TLSv1.2:  ciphers:  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1)  A  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1)  A  compressors:  NULL  cipher preference: client  warnings:  Key exchange (secp256r1) of lower strength than certificate key _ least strength: A

Hey, glad I could be of service. Thanks for the quick replies and thankfully, its quickly remedied.

@girish sir
BTW, I apologize for not using your dedicated vulnerability reporting method.
 I just read up on it
 I really thought it was due to a settings misconfiguration part on my end and a false alarm as well. I was initially just looking for Guidance on fixing what I set up wrong. In the future if it's vulnerability concerned, I'll use your reporting mechanisms.

@mastadamus no problem! atleast, this is not a severe security issue and we have a fix coming already.