search for: sslhonorcipherorder

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL dovecot does not care about BEAST, since attacker cannot inject trafic. Therefore the cipher list get simplier in dovecot.conf: ssl_cipher_list = ECDHE at STRENGTH:ECDH a...

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:

...ding a new SSL security leak named "BEAST". The exact error number is CVE-2011-3389. Details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set SSLHonorCipherOrder On in apache config. This results in the following C-Code being executed: SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis S...

...9;ve a question about sslv3 > deactivation. > > Running "openssl ciphers -v" I get a list of cypher suite of openssl like: > > ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) > Mac=AEAD > ......... > SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off Then use cipher suite to your liking. Modern, Intermediate, Old, from... https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Test via... https://www.ssllabs.com/ssltest/

...;t find quite what I'm after. From my testing of dovecot 2.1.6, by default it appears to honor the clients cipher list order for SSL/TLS connections. I can't find any documentation on dovecot providing a setting like Apache HTTPDs to either honor the client or server cipher list i.e. SSLHonorCipherOrder. Do newer versions (> 2.1.6) of dovecot either make this configurable or force honoring of the servers cipher list order? Or is the cipher selection a function that openssl performs? The version of openssl in use is 1.0.1e-fips. Thanks Phillip

...r_ciphers = yes ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH ______________________________ the same for Apache: SSLHonorCipherOrder On SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS -------------- next part -------------- A non-text attachment was scrubbed... Name: s...

Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite