[Dovecot] force ciphers order for clients

Reindl Harald h.reindl at thelounge.net
Wed Aug 14 22:30:15 EEST 2013

Am 14.08.2013 21:19, schrieb Robert Schetterer:
>>> thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option
>>> at my setup lucid ubuntu yeter
>> so you can practically forget it
> perhaps true forever, as long old clients are around, cause the server
> can only workaround them

not absolutely

playing around with the setings below and https://www.ssllabs.com/ssltest/
turned out that the order is what counts, and that is really tricky

i played around 5 hours with this absoluetly crap

adding !MEDIUM results in open from CRIME or BEAST attack because
some clients chosse a vulerable cipher, but it would raise up the
overall points of the test BUT at the same time perfect forward
secrecry for most clients while with settings below only
for Apple iOS/Safari

without the -SHA1 also vulernable for one of the new attacks
sorry, i refused to notice what and tried ot achive best possible
encryption while not fall back to classification B what is important
for security audits

BEAST attack is unlikely in context mail

IMHO this is all bullshit currently *but* if recent clients start
to act smarter they can choose the best possible cipher offered
from the server and after that you have your copmpatibility net
for old clients - currently this all is a tragedy, but having
PRISM/NSA and the latest news about in mind most likely recent
clients will be able to choose a "perfect forward secrecy"
capable cipher if offered by the server independent of weaker ones

the real problem in your case will most likely be that most
of the shiny new things in this area will require recent
openssl and TLS1.2 (sadly not supproted by Mozilla/NSS for now)

SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLInsecureRenegotiation Off
SSLHonorCipherOrder On

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130814/6f0fca96/attachment.bin>

More information about the dovecot mailing list