search for: aesgcm

...s should still retain forward secrecy through the use of EDH, but this doesn't leave much in the way of allowable algorithms on my server: $ openssl ciphers -V 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH' 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x9E...

...ser = $default_internal_user vsz_limit = 18446744073709551615 B } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { args = /usr/local/etc...

...er stats-writer { group = mail mode = 0660 user = } } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { args = /usr/l...

...rap { > > unix_listener login/tcpwrap { > > group = $default_login_user > > mode = 0600 > > user = $default_login_user > > } > > } > > ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer > > ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS > > ssl_dh = # hidden, use -P to show it > > ssl_key = # hidden, use -P to show it >...

...stats-writer { group = mail mode = 0666 user = } } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/*.lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { args = /usr/loc...

...the problem, as I'm using cyrus-imapd with SSL) here my settings in /etc/imapd.conf tls_cert_file: /etc/pki/cyrus-imapd/tls.crt/mail-host.crt tls_key_file: /etc/pki/cyrus-imapd/tls.key/mail-host.key tls_ca_file: /etc/pki/cyrus-imapd/tls.crt/server-chain-sslca.crt tls_cipher_list: EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:3DES:!SSLv2:+SSLv3:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP tls_prefer_server_ciphers: 1 tls_versions: tls1_0 tls1_1 tls1_2 Walter

...tps://bugzilla.redhat.com/show_bug.cgi?id=1019390 https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108 ______________________________ recent dovecot with also support older clients but perfer best possible encryption for modern ones ssl_prefer_server_ciphers = yes ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH ______________________________ the same for Apache: SSLHonorCipherOrder On SSLCipherSuite EECDH+ECDSA+AE...

...> > unix_listener login/tcpwrap { > > group = $default_login_user > > mode = 0600 > > user = $default_login_user > > } > > } > > ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer > > ssl_cipher_list = > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384: > > EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256: > > EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:! > > aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS > > ssl_key = # hidden, use -P to show it > > ssl_proto...

...mtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } ssl = required ssl_cert = </etc/letsencrypt/live/mgrids.dynu.com/fullchain.pem ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+ 3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes syslog...

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like: ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 that has protocol SSLv3? Disabling SSLv3 protocol, apache will use only TLSv1...

...cot --version: 2.2.15 /usr/local/etc/dovecot/conf.d/10-ssl.conf: ssl = required ssl_cert = </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA ssl_p...

...so use STARTTLS, though I expose that on both IMAP and IMAPS ports, which is consistent with a number of major imap providers. Selection of ciphers is important. I researched this recently and use this stanza in the configuration ssl = required ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes The defaults in dovecot are shown commented in conf.d/10-ssl.conf. They are not best practice for security. > -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xFABD47B0F98E88C9.asc Type: application/pgp-k...

...ice tcpwrap { > unix_listener login/tcpwrap { > group = $default_login_user > mode = 0600 > user = $default_login_user > } > } > ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer > ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS > ssl_key = # hidden, use -P to show it > ssl_protocols = !SSLv2 !SSLv3 > userd...

...our server's public key, your server's certifying authority (CA) key, maybe even the curl CA. I've also seen this in examples of the SSL stanza from icecast.xml: <ssl-certificate>/usr/local/centovacast/etc/ssl/icecast.pem</ssl-certificate> <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers> Of course, never mind the CentovaCast bit; it's jut a location. Where does this last line come from--i.e., how is it generated? The same article al...

Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite

...ser = $default_internal_user vsz_limit = 18446744073709551615 B } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } ver...

...ser = $default_internal_user vsz_limit = 18446744073709551615 B } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } ver...

...ser = $default_internal_user vsz_limit = 18446744073709551615 B } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } ver...

...ser = $default_internal_user vsz_limit = 18446744073709551615 B } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } ver...

...4073709551615 B > } > service tcpwrap { > unix_listener login/tcpwrap { > group = $default_login_user > mode = 0600 > user = $default_login_user > } > } > ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer > ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384: > EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256: > EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:! > aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS > ssl_key = # hidden, use -P to show it > ssl_protocols = !SSLv2 !SSLv3 >...