"A. Schulze" writes:

David Mehler:

...

Second question, in the doveconf -n there's reference to my ssl_cipher am I using current tls ciphers that support pfs?

...

ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL

some non pfs cipher would be still active. check yourself: # openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH

You'll want the 'E' variation (ephemeral) of the DH algorithms, and preferably, the ECDHE variety as they are faster and supported on more browsers. The pattern to search for (or exclude) is "DHE"

openssl ciphers -v {cipher-specs} | grep DHE

If the OP wants preferentially use PFS ciphers (but keep the other ciphers around for very old browsers), maybe something like

ssl_cipher_list = ECDH:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes

finally you could use the service provided by ssllabs.com to scan your host.

I second this recommendation, if you can work out the port issue. Maybe using a ncat | ncat pipe.

Joseph Tam <jtam.home@gmail.com>