[Dovecot] force ciphers order for clients

[Reindl Harald]

Am 14.08.2013 22:04, schrieb Robert Schetterer:
> Am 14.08.2013 21:30, schrieb Reindl Harald:
>> Am 14.08.2013 21:19, schrieb Robert Schetterer:
>>>>> thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option
>>>>> at my setup lucid ubuntu yeter
>>>>
>>>> so you can practically forget it
>>>
>>> perhaps true forever, as long old clients are around, cause the server
>>> can only workaround them
>>
>> not absolutely
>>
>> playing around with the setings below and https://www.ssllabs.com/ssltest/
>> turned out that the order is what counts, and that is really tricky
>>
>> i played around 5 hours with this absoluetly crap
> 
> that sounds good, so you allready did many real world tests

yeah and the bad is that it prove *currently* it is imposible
to have perfect forward secrecy for most real world clients
without open other vectors leading to fall back to a yellow B

really sad is that playing around turned out how hard it is
to force different clients at the same time to a good cipher
and how one change in the order refelcts the overall result

and facing this: "ssllabs" simulates negotiation of real
clients (skipped in the screenshot) but we are missing
the same for mailservers and thats why my conclusion is
that we are hopeless as admins and can only offer things
but not do much in case of clients using them
__________________________

attached the current results for our webservers

the only positive from the current resullt is that the sever supports
ciphers for "Perfect Forward Secrecy" and the negative that it is only
theory, so i stay at this config and say "dear browser vendors, i
support it so use it with your damned client" because i can hardly
use a config which get a yellow CVSS on security-audits to support FS
for you"

well, i could reven aise up "key exchange" to 90/95
but after that "FS" would not be listed at all

the real sad thing is that the "FS" you see is not used by
current clients which mostly use RC4 and if you add !MEDIUM
the most start using FS-ciphers but are vulerable by BEAST-attack
which let you fall down to grade B

if i add !MEDIUM to dovecot Thunderbird does no longer connect at all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_analyse.gif
Type: image/gif
Size: 36735 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130814/887b9260/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130814/887b9260/attachment-0001.bin>