Adi Kriegisch
2013-Oct-18 11:57 UTC
[Dovecot] patch for ssl_prefer_server_ciphers in dovecot 2.1
Dear all, I tried to do a backport of 'ssl_prefer_server_ciphers' (http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87/) to Dovecot 2.1 (namely the Debian version of Dovecot) and wanted to ask if there is any chance to integrate this feature into Dovecot 2.1 'upstream' as well. As the code structure changed quite a bit, I am not sure if my patch is complete. I tested it with pop3s and imaps in my test environment and it works just as expected and seemed to not have any unwanted effects. (Dovecot code is probably the most beautiful and easy to read C code I've seen, but there might also be some pitfalls I missed.) best regards, Adi Kriegisch PS: I need that feature to enable PFS while allowing Outlook to still connect and the others not to fall back to a different cipher; I was unable to find a PFS cipher that is supported by Outlook and OpenSSL. -------------- next part -------------- A non-text attachment was scrubbed... Name: ssl_prefer_server_ciphers-dc21.diff Type: text/x-diff Size: 5066 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20131018/c9567b3a/attachment-0001.bin>
Reindl Harald
2013-Oct-18 12:00 UTC
[Dovecot] patch for ssl_prefer_server_ciphers in dovecot 2.1
Am 18.10.2013 13:57, schrieb Adi Kriegisch:> I tried to do a backport of 'ssl_prefer_server_ciphers' > (http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87/) to Dovecot 2.1 > (namely the Debian version of Dovecot) and wanted to ask if there is any > chance to integrate this feature into Dovecot 2.1 'upstream' as well. > As the code structure changed quite a bit, I am not sure if my patch is > complete. I tested it with pop3s and imaps in my test environment and it > works just as expected and seemed to not have any unwanted effects. > (Dovecot code is probably the most beautiful and easy to read C code I've > seen, but there might also be some pitfalls I missed.) > > best regards, > Adi Kriegisch > > PS: I need that feature to enable PFS while allowing Outlook to still > connect and the others not to fall back to a different cipher; I was > unable to find a PFS cipher that is supported by Outlook and OpenSSLssl_cipher_list EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH ssl_prefer_server_ciphers = yes Outlook, at least on WinXP any version, continues to use RC4 ciphers but any sane mail client is using PFS ciphers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 263 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20131018/5af65717/attachment.bin>
Adi Kriegisch
2013-Oct-18 17:48 UTC
[Dovecot] patch for ssl_prefer_server_ciphers in dovecot 2.1
Dear all,> I tried to do a backport of 'ssl_prefer_server_ciphers' > (http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87/) to Dovecot 2.1[...]> (Dovecot code is probably the most beautiful and easy to read C code I've > seen, but there might also be some pitfalls I missed.)I'd be very grateful, if someone could have a closer look at the patch and see wether I missed something. best regards, Adi Kriegisch