Am 09.05.2014 14:28, schrieb Sebastian Goodrick:
For any reason I don't understand, there are ciphers listed twice in the old OpenSSL version but also once in the new version: EXP-RC2-CBC-MD5, EXP-RC4-MD5, RC4-MD5
EXP-RC4-MD5 != RC4-MD5
however, with a recent dovecot setup and openssl >= 1.0.1 you can and should order the ciphers on the serverside
the configuration belows disables as most important thing the broken RC4 and supports even Outlook 2003 on WinXP which uses DES-CBC3-SHA proven by dovecot logs
because it does not list any crap it is short enough that compatible ciphers are always in the first 64 ones, you may use google to find out why that is important if it comes to handshakes with older software especially from Microsoft
these 21 ciphers are ordered by best possible encryption and are passing serious security audits
ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2