[Dovecot] patch for ssl_prefer_server_ciphers in dovecot 2.1

Reindl Harald h.reindl at thelounge.net
Fri Oct 18 15:32:45 EEST 2013 

Am 18.10.2013 14:22, schrieb Adi Kriegisch:
>>> PS: I need that feature to enable PFS while allowing Outlook to still
>>> connect and the others not to fall back to a different cipher; I was
>>> unable to find a PFS cipher that is supported by Outlook and OpenSSL
>>
>> ssl_cipher_list =
>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH
>> ssl_prefer_server_ciphers = yes
>>
>> Outlook, at least on WinXP any version, continues to use RC4 ciphers
>> but any sane mail client is using PFS ciphers
> Thanks for sharing; I opted for disabling RC4 completely and came up with
> the following (formatted for readability)
>   HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:
>        EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:
>        +DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:
>        !AES128:!CAMELLIA128:
>        !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:!RC4:!SEED:
>        +AES256-SHA 
> which disables every cipher with less than 256bit and leaves AES256-SHA as
> a last resort for Outlook... 

this does *not work* with Outlook 2003-2010 on Windows XP

it is also not a good idea to disable 128 Bit completly
the idea behind ECDHE is that 128 Bit is as secure as non-EC with 256 Bit

> and is except for that pretty similar to your cipher string

and likely results in not using PFS for several clients
my string is from https://www.ssllabs.com/ articles and
*verified* to provide PFS for any client except WinXP

a slightly different one in case of HTTP resulted in only very few clients
using PFS, most likely your changes are resulting for a lot of clients in fall
back to AES-256 without PFS




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131018/7c5bdefb/attachment.bin>

More information about the dovecot mailing list