Hi All
First the essentials:
dovecot --version: 2.2.15
/usr/local/etc/dovecot/conf.d/10-ssl.conf:
ssl = required
ssl_cert = </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt
ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA
ssl_prefer_server_ciphers = yes
I would really appreciate it if someone could tell me if my config is super secure? I run the following email clients:
K9 on Android 4.4.2 Thunderbird 31.4 Outlook 2010
I'm interested to know if the config I have is secure and that my cipher list is acceptable. I'm also keen to hear thoughts on my config in respect of Forward Secrecy and the SSLv3/POODLE attack.
Thanks!
Quoting SW <dovecot@bsdpanic.com>:
Hi All
First the essentials:
dovecot --version: 2.2.15
/usr/local/etc/dovecot/conf.d/10-ssl.conf:
ssl = required
ssl_cert = </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt
ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list =
HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA
ssl_prefer_server_ciphers = yes
I would really appreciate it if someone could tell me if my config is super secure? I run the following email clients:
K9 on Android 4.4.2 Thunderbird 31.4 Outlook 2010
I'm interested to know if the config I have is secure and that my cipher list is acceptable. I'm also keen to hear thoughts on my config in respect of Forward Secrecy and the SSLv3/POODLE attack. Thanks!
According to https://cipherli.st/ ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 Is what you want.
According to https://cipherli.st/
ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 Is what you want.
Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH
Before I made this change clients were connecting with the following cipher in the log file:
ECDHE-ECDSA-AES256-SHA (256/256 bits)
After the change the log now says:
ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
Is this an improvement (or more secure) despite going from 256bits to 128bits?
Thanks!
Am 06.02.2015 um 23:13 schrieb SW:
According to https://cipherli.st/
ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 Is what you want.
Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH
Before I made this change clients were connecting with the following cipher in the log file:
ECDHE-ECDSA-AES256-SHA (256/256 bits)
After the change the log now says:
ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
Is this an improvement (or more secure) despite going from 256bits to 128bits?
yes it is because AES-GCM is currently the best cipher suite while there is no point for AES256, if AES128 will fall then it likely affects AES256 too and according to Brcue Schneier years ago AES128 has even less problems then AES256 (too lazy for google it again)
Am 07.02.2015 um 04:47 schrieb Reindl Harald:
Am 06.02.2015 um 23:13 schrieb SW:
According to https://cipherli.st/
ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 Is what you want.
Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH
Before I made this change clients were connecting with the following cipher in the log file:
ECDHE-ECDSA-AES256-SHA (256/256 bits)
After the change the log now says:
ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
Is this an improvement (or more secure) despite going from 256bits to 128bits?
yes it is because AES-GCM is currently the best cipher suite while there is no point for AES256, if AES128 will fall then it likely affects AES256 too and according to Brcue Schneier years ago AES128 has even less problems then AES256 (too lazy for google it again)
Well, I am working in the crypto field and was a bit astonished about this "rant" - so a quick search brought up https://www.schneier.com/blog/archives/2009/07/another_new_aes.html - for those who want it more compact http://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-an....
Bottom line: AES256 *IS* better than AES128 for the intended usage but it is also true that AES-GCM rules out other AES based block ciphers for other kinds of attacks, so there is no "black or white" answer. To be honest, I wont worry on this - people who are in the position to break even a 128bit key will most likely find other ways to get into your mail communication ;)
Oliver
-- Protect your environment - close windows and adopt a penguin!
Is this an improvement (or more secure) despite going from 256bits to 128bits?
yes it is because AES-GCM is currently the best cipher suite while there is no point for AES256, if AES128 will fall then it likely affects AES256 too and according to Brcue Schneier years ago AES128 has even less problems then AES256 (too lazy for google it again)
Well, I am working in the crypto field and was a bit astonished about this "rant" - so a quick search brought up https://www.schneier.com/blog/archives/2009/07/another_new_aes.html - for those who want it more compact http://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-an....
Bottom line: AES256 *IS* better than AES128 for the intended usage but it is also true that AES-GCM rules out other AES based block ciphers for other kinds of attacks, so there is no "black or white" answer. To be honest, I wont worry on this - people who are in the position to break even a 128bit key will most likely find other ways to get into your mail communication ;)
Oliver
Thank you all for your replies. I will keep the setting then to:
AES128+EECDH:AES128+EDH
I've just done a test with K9 mail on Android 4.4.2 and this is what I see in the log:
ECDHE-ECDSA-AES128-SHA (128/128 bits)
But when using Thunderbird I see:
ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
I'm happy that Thunderbird is using a secure cipher but is Android? Is ECDHE-ECDSA-AES128-SHA ok/secure?
Am 07.02.2015 um 10:10 schrieb SW:
I've just done a test with K9 mail on Android 4.4.2 and this is what I see in the log:
ECDHE-ECDSA-AES128-SHA (128/128 bits)
But when using Thunderbird I see:
ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
I'm happy that Thunderbird is using a secure cipher but is Android? Is ECDHE-ECDSA-AES128-SHA ok/secure?
Short: See my last answer - secure is never a black or white decission. The chosen cypher will protect your traffic and its better than plain text.
Long: The client negotiates the supported ciphers with the server and chooses one that fits for him. I *guess* that k9/anroid simply does not support the GCM cipher and therefore uses another one. To get the "best" result you need to list up all supported ciphers of your client and server and choose one, but be warned that if you ask two analyst, you might not get the same answer which is "best" as this dependes on the kind of threats you want to take care of
Oliver
-- Protect your environment - close windows and adopt a penguin!
Short: See my last answer - secure is never a black or white decission. The chosen cypher will protect your traffic and its better than plain text.
Long: The client negotiates the supported ciphers with the server and chooses one that fits for him. I *guess* that k9/anroid simply does not support the GCM cipher and therefore uses another one. To get the "best" result you need to list up all supported ciphers of your client and server and choose one, but be warned that if you ask two analyst, you might not get the same answer which is "best" as this dependes on the kind of threats you want to take care of
Oliver
Thanks Oliver.
I had a look at:
https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2
And Android 4.4.2 does support:
ECDHE-ECDSA-AES128-GCM-SHA256
So why then does K9 not connect using GCM? Could K9 mail not support this cipher? If Android supports it does this mean that K9 mail will support it too?
Just trying to figure out WHY I can't get K9 to use GCM!
Am 07.02.2015 um 11:05 schrieb SW:
Short: See my last answer - secure is never a black or white decission. The chosen cypher will protect your traffic and its better than plain text.
Long: The client negotiates the supported ciphers with the server and chooses one that fits for him. I *guess* that k9/anroid simply does not support the GCM cipher and therefore uses another one. To get the "best" result you need to list up all supported ciphers of your client and server and choose one, but be warned that if you ask two analyst, you might not get the same answer which is "best" as this dependes on the kind of threats you want to take care of
Oliver
Thanks Oliver.
I had a look at:
https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2
And Android 4.4.2 does support:
ECDHE-ECDSA-AES128-GCM-SHA256
So why then does K9 not connect using GCM? Could K9 mail not support this cipher? If Android supports it does this mean that K9 mail will support it too?
K9 questions should go to
https://code.google.com/p/k9mail/issues/list
Just trying to figure out WHY I can't get K9 to use GCM!
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
participants (5)
-
Oliver Welter
-
Reindl Harald
-
Rick Romero
-
Robert Schetterer
-
SW