[Dovecot] patch for ssl_prefer_server_ciphers in dovecot 2.1
Darren Pilgrim
list_dovecot at bluerosetech.com
Sun Oct 20 02:58:42 EEST 2013
On 10/18/2013 5:32 AM, Reindl Harald wrote:
>
> Am 18.10.2013 14:22, schrieb Adi Kriegisch:
>>>> PS: I need that feature to enable PFS while allowing Outlook to still
>>>> connect and the others not to fall back to a different cipher; I was
>>>> unable to find a PFS cipher that is supported by Outlook and OpenSSL
>>>
>>> ssl_cipher_list =
>>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH
>>> ssl_prefer_server_ciphers = yes
>>>
>>> Outlook, at least on WinXP any version, continues to use RC4 ciphers
>>> but any sane mail client is using PFS ciphers
>> Thanks for sharing; I opted for disabling RC4 completely and came up with
>> the following (formatted for readability)
>> HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:
>> EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:
>> +DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:
>> !AES128:!CAMELLIA128:
>> !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:!RC4:!SEED:
>> +AES256-SHA
>> which disables every cipher with less than 256bit and leaves AES256-SHA as
>> a last resort for Outlook...
>
> this does *not work* with Outlook 2003-2010 on Windows XP
It's not Outlook's fault. Office, IE, etc. all use stunnel which, on
XP/2003, is as outdated as OpenSSL 0.9.8.
Enable 3DES to support XP clients.
More information about the dovecot
mailing list