Displaying 20 results from an estimated 261 matches for "ssl_dh_parameters_length".
2019 May 19
1
Do we need ssl_dh_parameters_length in version 2.3
Hi, I couldn't really find documentation about ssl_dh_parameters_length
except for mention in passing on the page
https://wiki2.dovecot.org/SSL/DovecotConfiguration
For version 2.3 and above is that setting necessary? If so what are the
values I can use, is setting it high like 4096 beneficial or make any
problems for clients?
Thanks for assistance.
2015 Jan 16
4
Outlook and TLSv.1
...some posts about this but none of them had a real solution on
this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem
ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_key = </var/qmail/control/servercert.pem
ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
Any idea?
Oliver
--
Protect your environment - close windows and adopt a penguin!
-------------- next part --------------
A non-text attachment was scrubbed......
2014 Dec 02
4
disabling certain ciphers
...?
>
> > Is there a way to exclude these ciphers, while still keeping my config
> > easy to parse and avoiding duplicative or deprecated configs?
>
> Yes to both. If you need to support older clients:
>
> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
> ssl_dh_parameters_length = 2048
> ssl_parameters_regenerate = 0
> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
But why does ssl_protocols behave differently depending on if
$ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
It seems that if ssl_cipher_list is defined,
ssl_protocols =...
2017 Apr 19
3
help
Dear Team
I have faced issue with email downloading in the email client by using pop3 SSL port 995 in dovecot v2.1.17 for outlook client 2016 on production environment.
As per my troubleshooting on my test environment, I have upgraded dovecot version v2.2.28, and changed paramer "ssl_dh_parameters_length = 2048" and "verbose_ssl = yes", The issue seems to be resolved in dovecot v2.2.28.
What can i do to resolve this issue in dovecot v2.1.17 in Production environment? Kindly help.
Thanks a lot in advance.
Regards,
Bhushan Bhosale
2014 Dec 02
2
disabling certain ciphers
Can you use both ssl_protocols *and* ssl_cipher_list in the same config
(in a way that's sane)?
ssl_protocols (>= 2.1)
and
ssl_cipher_list
co-exist, or are they mutually exclusive?
I have a Dovecot 2.2.13 system, and I tried setting:
I also tried things like
ssl_cipher_list = HIGH
or
ssl_cipher_list = HIGH:!MEDIUM:!LOW
however, doing this seems to make v3 still work unless I
2015 Nov 04
1
ssl-params: slow startup (patch for consideration)
Based on the recent found weaknesses in DH key exchange,
http://weakdh.org/
I increased ssl_dh_parameters_length to 2048 bits, and found waited
for 5+ minutes for dovecot to come back online after a restart.
Unless you got a fast machine, the initialization of DH parameters can
exceed your patience.
Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if
Dovecot uses old parameters until rege...
2013 Nov 05
2
ssl-params regeneration with dovecot 2.2.7
Hello,
after switching from version 2.2.7 to 2.2.7 I miss the loglines which say:
ssl-params: Generating SSL parameters
ssl-params: SSL parameters regeneration completed
The configuration has not been changed and reads:
| # 2.2.7: /usr/local/dovecot/etc/dovecot/dovecot.conf
| # OS: Linux 2.6.35.14-106.fc14.i686.PAE i686 Fedora release 14 (Laughlin) ext3
| auth_mechanisms = plain login
|
2014 Dec 02
2
disabling certain ciphers
...hese ciphers, while still keeping my config
>>>> easy to parse and avoiding duplicative or deprecated configs?
>>>
>>> Yes to both. If you need to support older clients:
>>>
>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>>> ssl_dh_parameters_length = 2048
>>> ssl_parameters_regenerate = 0
>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>>
>> But why does ssl_protocols behave differently depending on if
>> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>>
>> I...
2014 Dec 02
0
disabling certain ciphers
...e config
> (in a way that's sane)?
> Is there a way to exclude these ciphers, while still keeping my config
> easy to parse and avoiding duplicative or deprecated configs?
Yes to both. If you need to support older clients:
ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_parameters_regenerate = 0
ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
If your userbase is limited to current clients and OSes, you can take it
a bit further:
ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH
ssl_dh_parameters_length = 4096
ssl_parameters_regenerat...
2017 Apr 21
2
Issue with POP3s TLS/SSL on port 995 on Outlook 2016
...evious Mail:==========I have faced issue with email downloading in the email client by using pop3s SSL port 995 in dovecot v2.1.17 for outlook client 2016 on production environment.
As per my troubleshooting on my test environment, I have upgraded dovecot version v2.2.28, and changed paramer "ssl_dh_parameters_length = 2048" and "verbose_ssl = yes", The issue seems to be resolved in dovecot v2.2.28.
What can i do to resolve this issue in dovecot v2.1.17? Kindly help.
2015 Jan 19
1
Outlook and TLSv.1
...n
>> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
>>
>> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
>>
>> ssl_cert = </var/qmail/control/servercert.pem
>> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH
>> ssl_dh_parameters_length = 2048
>> ssl_key = </var/qmail/control/servercert.pem
>> ssl_protocols = !SSLv2 !TLSv1.2
>>
>> The certificate is from Comodo using sha256.
>>
>> Any idea?
>>
>> Oliver
>>
>
> there is no "Outlook", please do a exact debug wh...
2016 Mar 06
2
Dovecot stops responding when I update SSL certificate
...ficate, so I did (same CA). The new
> certificate works fine in Apache and Postfix. But when I update Dovecot
> to use the same certificate, and restart the server, Dovecot stops
> responding to connects.
> ...
> Here is the end of the dovecot -n file that mentions SSL:
> ...
> ssl_dh_parameters_length = 2048
When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%?
It's possible it's generating ephemeral DH keys. In a previous post
to this list, I note that the run time to generate these keys can vary
wildly, and gets worse with longer keys. Sometimes you get lucky, an...
2015 May 27
1
FREAK/Logjam, and SSL protocols to use
...ed shorter (<= 1024 bit) primes.
Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security.
So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate.
[1] http://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test
[2] https://weakdh.org/sysadmin.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp...
2017 Jan 31
3
Dovecot auth-worker error after cram-md5 auth
...y = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
:D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
mail_max_userip_connections = 100
passdb {
# args = /etc/dovecot/dovecot-sql.conf
# driver = sql
driver = passwd-file
args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
Of course I created cram-md5.pw...
2016 Oct 27
2
Bugreport: managesieve-login won't start without a ssl-key
...user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
ssl = yes
}
}
ssl = required
ssl_cert = </etc/ssl/private/imap.toppoint.de.crt
ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/imap.toppoint.de.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv3 !SSLv2
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = sieve
}
protocol imap {
ssl_cert = </etc/ssl/private/imap.toppoint.de.crt
ssl_key = </etc/ssl/private/imap...
2017 Jan 17
3
Correct settings for ssl protocols" and "ssl ciphers"
I have the following two settings in my "10-ssl.conf" file
# SSL protocols to use
ssl_protocols = !SSLv2
# SSL ciphers to use
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
I have seen different configurations while Googling. I am wondering
what the consensus is for the best settings for these two items. What
do the developers recommend?
Thanks!
--
Jerry
2016 Jul 03
2
Postfix/dovecot: user unrecognized, file permissions being misread
...group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = </etc/ssl/certs/StartCom_Certification_Authority.pem
ssl_cert = </etc/apache2/ssl.crt/mail.privustech.com_start.crt
ssl_dh_parameters_length = 2048
ssl_key = </etc/apache2/ssl.key/mail.privustech.com.key
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
verbose_ssl = yes
protocol lda {
deliver_l...
2019 Jul 25
3
Autoexpunge not working for Junk?
...al_use = \Sent
}
mailbox Spam {
autoexpunge = 30 days
special_use = \Junk
}
mailbox Trash {
autoexpunge = 30 days
special_use = \Trash
}
prefix =
separator = /
}
passdb {
driver = pam
}
pop3_uidl_format = %08Xv%08Xu
ssl_cert = # REDACTED
ssl_cipher_list = # REDACTED
ssl_dh_parameters_length = # REDACTED
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
--- Amir
2016 Nov 15
1
[PATCH] ssl: fix reference to SSLv2 and disable SSLv3
...ertions(+), 2 deletions(-)
diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
index 31b750c..2cd445b 100644
--- a/doc/example-config/conf.d/10-ssl.conf
+++ b/doc/example-config/conf.d/10-ssl.conf
@@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_dh_parameters_length = 1024
# SSL protocols to use
-#ssl_protocols = !SSLv2
+#ssl_protocols = !SSLv3
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
index 4a05045..6b43f6c 100644
--- a/src...
2017 Mar 20
1
Deploying Diffie-Hellman for TLS
...-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes (Dovecot 2.2.6 or greater)
DH parameters
#regenerates every week
ssl_dh_parameters_length = 2048
Contrary to what the site recommends, I would have thought that changes
should be made in the "10-ssl.conf" file. I am running "Dovecot 2.2.28"
on a FreeBSD-11 machine with OpenSSL 1.0.2k, if that makes any
difference.
Thanks
--
Jerry