changing cipher for imap clients
When my client connects, I see this in my log:
dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Whereas, when client connects to my postfix server, I see:
Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
how can I tell dovecot to use AES256, instead of AES128 ?
is this set by ssl_cipher_list ? Here are my current values (defaults)
# doveconf ssl_cipher_list ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# dovecot --version 2.3.4.1
thanks,
On 28/10/2019 16:12 Fourhundred Thecat via dovecot <dovecot@dovecot.org> wrote:
When my client connects, I see this in my log:
dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Whereas, when client connects to my postfix server, I see:
Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
how can I tell dovecot to use AES256, instead of AES128 ?
is this set by ssl_cipher_list ? Here are my current values (defaults)
# doveconf ssl_cipher_list ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# dovecot --version 2.3.4.1
thanks,
Perhaps your client does not support it?
Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used.
aki
On 2019-10-28 15:36, Aki Tuomi wrote: Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used.
setting ssl_prefer_server_ciphers=yes did the trick. Now my imap client uses ECDHE-RSA-AES256-SHA
many thanks,
On 28 Oct 2019, at 08:45, Fourhundred Thecat <400thecat@gmx.ch> wrote:
setting ssl_prefer_server_ciphers=yes did the trick. Now my imap client uses ECDHE-RSA-AES256-SHA
Now go turn off TLSv1
-- At night when the bars close down Brandy walks through a silent town And loves a man who's not around
The funny thing is AES128 may be harder to break than AES256.
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
It had been a decade, so it would be interesting if Bruce Schneier has the same opinion.
I just use the defaults.
Original Message
From: dovecot@dovecot.org Sent: October 28, 2019 7:13 AM To: dovecot@dovecot.org Reply-to: 400thecat@gmx.ch Subject: changing cipher for imap clients
When my client connects, I see this in my log:
dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Whereas, when client connects to my postfix server, I see:
Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
how can I tell dovecot to use AES256, instead of AES128 ?
is this set by ssl_cipher_list ? Here are my current values (defaults)
# doveconf ssl_cipher_list ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# dovecot --version 2.3.4.1
thanks,
participants (4)
-
@lbutlr
-
Aki Tuomi
-
Fourhundred Thecat
-
lists