Am 20.10.2013 01:58, schrieb Darren Pilgrim:
On 10/18/2013 5:32 AM, Reindl Harald wrote:
Am 18.10.2013 14:22, schrieb Adi Kriegisch:
PS: I need that feature to enable PFS while allowing Outlook to still connect and the others not to fall back to a different cipher; I was unable to find a PFS cipher that is supported by Outlook and OpenSSL
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH
ssl_prefer_server_ciphers = yes
Outlook, at least on WinXP any version, continues to use RC4 ciphers but any sane mail client is using PFS ciphers Thanks for sharing; I opted for disabling RC4 completely and came up with the following (formatted for readability) HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256: EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA: +DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA: !AES128:!CAMELLIA128: !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:!RC4:!SEED: +AES256-SHA which disables every cipher with less than 256bit and leaves AES256-SHA as a last resort for Outlook...
this does *not work* with Outlook 2003-2010 on Windows XP
It's not Outlook's fault. Office, IE, etc. all use stunnel which, on XP/2003, is as outdated as OpenSSL 0.9.8.
Enable 3DES to support XP clients
and how does that give you any gain over RC4?
http://en.wikipedia.org/wiki/Triple_DES#Security http://en.wikipedia.org/wiki/RC4#Security
It is noteworthy, however, that RC4, being a stream cipher, is the only common cipher which is immune[9] to the 2011 BEAST attack on TLS 1.0, which exploits a known weakness in the way cipher block chaining mode is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers
why do you waste that much time?
sane clients with the ciphers i provided use secure encryption without break XP users and more you can't do - period