"A. Schulze" writes:
> David Mehler:
>
>> Second question, in the doveconf -n there's reference to my
ssl_cipher
>> am I using current tls ciphers that support pfs?
>
>> ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
>
> some non pfs cipher would be still active. check yourself:
> # openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v
DH
You'll want the 'E' variation (ephemeral) of the DH algorithms, and
preferably, the ECDHE variety as they are faster and supported on more
browsers. The pattern to search for (or exclude) is "DHE"
openssl ciphers -v {cipher-specs} | grep DHE
If the OP wants preferentially use PFS ciphers (but keep the other
ciphers around for very old browsers), maybe something like
ssl_cipher_list = ECDH:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
> finally you could use the service provided by ssllabs.com to scan your
host.
I second this recommendation, if you can work out the port issue. Maybe using
a ncat | ncat pipe.
Joseph Tam <jtam.home at gmail.com>