Re: TLS problem after upgrading from v2.2 to v2.3
Jan Vejvalka <jan.vejvalka@lfmotol.cuni.cz> writes:
Mine are below and they work just fine:
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
I notice all the ciphers use DH, so did you a generate a permanent DH key?
(https://wiki2.dovecot.org/Upgrading/2.3)
ssl-parameters.dat file is now obsolete. You should use ssl_dh
setting instead: ssl_dh=</etc/dovecot/dh.pem
You can convert an existing ssl-parameters.dat to dh.pem:
dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem
Joseph Tam <jtam.home@gmail.com>
On 08.01.2018 09:41, Joseph Tam wrote:
Jan Vejvalka <jan.vejvalka@lfmotol.cuni.cz> writes:
Mine are below and they work just fine:
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
I notice all the ciphers use DH, so did you a generate a permanent DH key?
(https://wiki2.dovecot.org/Upgrading/2.3)
ssl-parameters.dat file is now obsolete. You should use ssl_dh setting instead: ssl_dh=</etc/dovecot/dh.pem
You can convert an existing ssl-parameters.dat to dh.pem:
dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem
Joseph Tam <jtam.home@gmail.com>
Dovecot won't actually start without ssl_dh. That warning is about dovecot converting the old DH key in ssl-parameters.dat into a DH parameter.
On related note, we would be interested in finding out what particular cipher (suites) are missing, that are preventing clients from accessing dovecot.
Aki
participants (2)
-
Aki Tuomi
-
Joseph Tam