TLS config check
Reindl Harald
h.reindl at thelounge.net
Sat Feb 7 03:47:31 UTC 2015
Am 06.02.2015 um 23:13 schrieb SW:
> According to https://cipherli.st/
>> ssl = yes
>> ssl_cert = </etc/dovecot.cert
>> ssl_key = </etc/dovecot.key
>> ssl_protocols = !SSLv2 !SSLv3
>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>> ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
>> Is what you want.
>
> Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list =
> AES128+EECDH:AES128+EDH
>
> Before I made this change clients were connecting with the following
> cipher in the log file:
>
> ECDHE-ECDSA-AES256-SHA (256/256 bits)
>
> After the change the log now says:
>
> ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
>
> Is this an improvement (or more secure) despite going from 256bits to
> 128bits?
yes it is because AES-GCM is currently the best cipher suite while there
is no point for AES256, if AES128 will fall then it likely affects
AES256 too and according to Brcue Schneier years ago AES128 has even
less problems then AES256 (too lazy for google it again)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150207/3b021b54/attachment.sig>
More information about the dovecot
mailing list