[Dovecot] force ciphers order for clients

Reindl Harald h.reindl at thelounge.net
Wed Aug 14 23:37:41 EEST 2013


third try - a limit of 40 KB is ridiculous given the base64
overhead for e-mail and i hardly can cut more of the screenshot
before it renders unusable at all.......

Am 14.08.2013 22:04, schrieb Robert Schetterer:
> Am 14.08.2013 21:30, schrieb Reindl Harald:
>> Am 14.08.2013 21:19, schrieb Robert Schetterer:
>>
>> i played around 5 hours with this absoluetly crap
> 
> that sounds good, so you allready did many real world tests

yeah and the bad is that it prove *currently* it is imposible
to have perfect forward secrecy for most real world clients
without open other vectors leading to fall back to a yellow B

really sad is that playing around turned out how hard it is
to force different clients at the same time to a good cipher
and how one change in the order refelcts the overall result

and facing this: "ssllabs" simulates negotiation of real
clients (skipped in the screenshot) but we are missing
the same for mailservers and thats why my conclusion is
that we are hopeless as admins and can only offer things
but not do much in case of clients using them
__________________________

attached the current results for our webservers

the only positive from the current resullt is that the sever supports
ciphers for "Perfect Forward Secrecy" and the negative that it is only
theory, so i stay at this config and say "dear browser vendors, i
support it so use it with your damned client" because i can hardly
use a config which get a yellow CVSS on security-audits to support FS
for you"

well, i could reven aise up "key exchange" to 90/95
but after that "FS" would not be listed at all

the real sad thing is that the "FS" you see is not used by
current clients which mostly use RC4 and if you add !MEDIUM
the most start using FS-ciphers but are vulerable by BEAST-attack
which let you fall down to grade B

if i add !MEDIUM to dovecot Thunderbird does no longer connect at all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_analyse.gif
Type: image/gif
Size: 20151 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130814/b6921cf4/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130814/b6921cf4/attachment-0001.bin>


More information about the dovecot mailing list