Re: [Dovecot] force ciphers order for clients
Am 14.08.2013 22:04, schrieb Robert Schetterer:
Am 14.08.2013 21:30, schrieb Reindl Harald:
Am 14.08.2013 21:19, schrieb Robert Schetterer:
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yeter
so you can practically forget it
perhaps true forever, as long old clients are around, cause the server can only workaround them
not absolutely
playing around with the setings below and https://www.ssllabs.com/ssltest/ turned out that the order is what counts, and that is really tricky
i played around 5 hours with this absoluetly crap
that sounds good, so you allready did many real world tests
yeah and the bad is that it prove *currently* it is imposible to have perfect forward secrecy for most real world clients without open other vectors leading to fall back to a yellow B
really sad is that playing around turned out how hard it is to force different clients at the same time to a good cipher and how one change in the order refelcts the overall result
and facing this: "ssllabs" simulates negotiation of real clients (skipped in the screenshot) but we are missing the same for mailservers and thats why my conclusion is that we are hopeless as admins and can only offer things but not do much in case of clients using them
attached the current results for our webservers
the only positive from the current resullt is that the sever supports ciphers for "Perfect Forward Secrecy" and the negative that it is only theory, so i stay at this config and say "dear browser vendors, i support it so use it with your damned client" because i can hardly use a config which get a yellow CVSS on security-audits to support FS for you"
well, i could reven aise up "key exchange" to 90/95 but after that "FS" would not be listed at all
the real sad thing is that the "FS" you see is not used by current clients which mostly use RC4 and if you add !MEDIUM the most start using FS-ciphers but are vulerable by BEAST-attack which let you fall down to grade B
if i add !MEDIUM to dovecot Thunderbird does no longer connect at all
third try - a limit of 40 KB is ridiculous given the base64 overhead for e-mail and i hardly can cut more of the screenshot before it renders unusable at all.......
Am 14.08.2013 22:04, schrieb Robert Schetterer:
Am 14.08.2013 21:30, schrieb Reindl Harald:
Am 14.08.2013 21:19, schrieb Robert Schetterer:
i played around 5 hours with this absoluetly crap
that sounds good, so you allready did many real world tests
yeah and the bad is that it prove *currently* it is imposible to have perfect forward secrecy for most real world clients without open other vectors leading to fall back to a yellow B
really sad is that playing around turned out how hard it is to force different clients at the same time to a good cipher and how one change in the order refelcts the overall result
and facing this: "ssllabs" simulates negotiation of real clients (skipped in the screenshot) but we are missing the same for mailservers and thats why my conclusion is that we are hopeless as admins and can only offer things but not do much in case of clients using them
attached the current results for our webservers
the only positive from the current resullt is that the sever supports ciphers for "Perfect Forward Secrecy" and the negative that it is only theory, so i stay at this config and say "dear browser vendors, i support it so use it with your damned client" because i can hardly use a config which get a yellow CVSS on security-audits to support FS for you"
well, i could reven aise up "key exchange" to 90/95 but after that "FS" would not be listed at all
the real sad thing is that the "FS" you see is not used by current clients which mostly use RC4 and if you add !MEDIUM the most start using FS-ciphers but are vulerable by BEAST-attack which let you fall down to grade B
if i add !MEDIUM to dovecot Thunderbird does no longer connect at all
participants (1)
-
Reindl Harald