search for: ciphersuites

...g SSL handshake" DoS vulnerability. However, the OpenSSH Security Advisory of 17 March 2004 announced the same vulnerability with one more vulnerability. Look at http://www.openssl.org/news/secadv_20040317.txt Isn't FreeBSD vulnerable to the second "Out-of-bounds read affects Kerberos ciphersuites" security problem? Thanks __________________________________ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com

I've installed grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)" dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 iiuc, Dovecot has apparently had support for setting TLS 1.3 ciphersuites since v2.3.9, per this commit lib-ssl-iostream: Support TLSv1.3 ciphersuites https://github.com/dovecot/core/commit/8f6f04eb21276f28b81695dd0d3df57c7b8f43e4 checking openssl rpm -ql openssl-devel-1.1.1g-1.fc32.x86_64 | grep -i ciphersuites /usr/share/man/man3/SSL_CTX_set_ciphersuites.3ssl....

> On Thu, 6 Apr 2006, Miller, Damien wrote: > > > > > Does OpenSSH 4.3 support the use of the TLS ciphersuites that are > > supported in OpenSSL? > > If so, is this a compile time option or a run-time option? > Or can sshd > > support both the SSL and TLS ciphersuites at the same time? > > OpenSSH doesn't use SSL or TLS - the SSH protocol defines its > own transport p...

>> I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. > > There is no need to disable TLSv1.3 and attempts to do so will be flagged as ?downgrade attacks?. Let us ignore TLSv1.2 as a downgrade option. And focus on TLSv1.3 for its entirety of this thread. If the ciphersuite (not cipher for that's a TLSv1.2 term), but a

Does OpenSSH 4.3 support the use of the TLS ciphersuites that are supported in OpenSSL? If so, is this a compile time option or a run-time option? Or can sshd support both the SSL and TLS ciphersuites at the same time? Jim Humphreys

...t+ssl and getting it all wrong --------------------------------------------------- * mutt(with openssl support built in) initiates with a "SSL-Client-Hello" to SSL on port 993 i.e. mutt's capabilities (algorithms, SSL version etc). * dovecot:993 compares mutt's CipherSuites with its own. Of the CipherSuites mutt and dovecot have in common, dovecot:993 chooses the _most_ secure algorithm. * Dovecot:993 will then tell mutt what it has decided to use and assigns a Unique session ID. From now on all communication is via this ID. * Now that the Cipher...

...s choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. IV. Workaround RSA timing attack: Disable the use of RSA or enable RSA blinding in OpenSSL using the RSA_blinding_on() function. The method of adjusting the list of acceptable ciphersuites varies from application to application. See the application's documentation for details. Klima-Pokorny-Rosa attack: Disable the use of ciphersuites which use PKCS #1 v1.5 padding in SSL or TLS. The method of adjusting the list of acceptable ciphersuites varies from application to app...

...39;ve installed > > grep PRETTY /etc/os-release > PRETTY_NAME="Fedora 32 (Server Edition)" > dovecot --version > 2.3.10.1 (a3d0e1171) > openssl version > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > iiuc, Dovecot has apparently had support for setting TLS 1.3 ciphersuites since v2.3.9, per this commit > > lib-ssl-iostream: Support TLSv1.3 ciphersuites > https://github.com/dovecot/core/commit/8f6f04eb21276f28b81695dd0d3df57c7b8f43e4 > > checking openssl > Hi! The config option is still missing, but it's in our backlog along with other s...

Does OpenSSH 4.3 support the use of the TLS ciphersuites that are supported in OpenSSL 0.9.8? If so, is this a compile time option or a run-time option? Or can ssh and sshd support both the SSL and TLS ciphersuites at the same time? Jim Humphreys

...ki/tls/openssl.cnf to set preferences for apps' usage, e.g. Postfix etc; Typically, here cat /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE...

...need to set SSLHonorCipherOrder On in apache config. This results in the following C-Code being executed: SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is not affected by that BEAST security leak. Is there a way to implement such a setting into Dovecot, too? I have created a very quick and dirty solution to avoid being listed on o...

hi, On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote: > I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to?Dovecot v2.3.8 on Centos-8 My report is specifically/solely about the addition/use of the Options = ServerPreference parameter. I don't see that in your configuration. Are you using it? In a config using Dovecot's submission proxy?

I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. Now, there is no way to exclude a specific group of one or more TLS versions. For a new bug report, I think we need two new settings: * `ssl_tls13_ciphersuite` and * `ssl_tls10_cipher`

..._policy [ crypto_policy ] *.include /etc/crypto-policies/back-ends/opensslcnf.config* And /etc/crypto-policies/back-ends/opensslcnf.config : CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 MinProtocol = *TLSv1.1* MaxProtocol = TLSv1.3 Regards Le jeu. 1 oct. 2020 ? 17:29, PGNet Dev <pgnet.dev at gmail.com> a ?crit : > hi, > > On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wr...

Hello, I wanted to ask if tinc had something akin to openvpn's --tls-auth option, for all the reason's listed here: https://community.openvpn.net/openvpn/wiki/Hardening I have read http://www.tinc-vpn.org/documentation-1.1/tinc.pdf, but I have not seen anything similar. Or do I not need that feature at all because tinc handles cryptology different than openvpn ( tinc's uses RSA keys

IRIX64 6.5 01101245 IP27 20010425 CVS - (djm) Include crypt.h if available in auth-passwd.c cc-1143 cc: ERROR File = /usr/include/crypt.h, Line = 38 Declaration is incompatible with "void des_encrypt(unsigned long *, struct des_ks_struct *, int)" (declared at line 150 of "/usr/local/ssl/include/openssl/des.h"). extern void des_encrypt(char *, int);

...ix etc; Typically, here > > cat /etc/pki/tls/openssl.cnf > > openssl_conf = default_conf > > [default_conf] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1.2 > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:...

....cnf > > > > openssl_conf = default_conf > > > > [default_conf] > > ssl_conf = ssl_sect > > > > [ssl_sect] > > system_default = system_default_sect > > > > [system_default_sect] > > MinProtocol = TLSv1.2 > > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SH...

> On 22/09/2020 21:00 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > On 9/22/20 10:51 AM, Aki Tuomi wrote: > >>> > > > > Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. > > I've NO issue with that config/setting with any _other_ app -- whether in general

Hi List ;-) I consider my question to be rather simple one ... nevertheless I could not find an answer to it up to now. I have an OpenLDAP-server which is the user-db for an samba3-server. I want to use TLS for secure communication, so I created a ca for this as well as keys/certificates for my LDAP and samba-server. Informing the LDAP-server about its certificate/key is easy ... but how do I