Am 11.09.2013 19:10, schrieb Frank Behrens:
Hi Emmanuel!
Am 10.09.2013 09:54, schrieb Emmanuel Dreyfus:
Hi
Is there known advices on how to favor PFS with dovecot?
In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On
"SSLHonorCipherOrder" is not yet supported in dovecot. I use the following hack/patch:
--- src/login-common/ssl-proxy-openssl.c.orig 2013-08-05 18:08:13.000000000 +0200 +++ src/login-common/ssl-proxy-openssl.c 2013-09-09 18:20:05.184890563 +0200 @@ -1276,6 +1276,7 @@ ssl_server_context_init(const struct log ctx->cipher_list, ssl_last_error()); } SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols)); + SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { i_fatal("Can't load ssl_cert: %s",
that looks interesting, whats Timos meaning to that patch ?
SSLCipherSuite ECDHE@STRENGTH:ECDH@STRENGTH:DH@STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL
dovecot does not care about BEAST, since attacker cannot inject trafic. Therefore the cipher list get simplier in dovecot.conf: ssl_cipher_list = ECDHE@STRENGTH:ECDH@STRENGTH:DH@STRENGTH:HIGH:!MD5:!DES:!aNULL :!eNULL
But that list is good for browsers. I am not aware of documentation about what ciphers are advertised by various mail client. How can I know if that setting has some success pushing PFS? How can I discover which clients fail to negociate PFS ciphers?
I have in my dovecot.conf: login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c %k The "%k" writes the negotiated cipher into the log, see also http://wiki2.dovecot.org/Variables
Regards, Frank
Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein