similar to: SSL Cipher Order in Dovecot

Hi Timo, reading this http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/ it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use with apple mail ( if no ECDHE is possible ,by missing openssl 1.x etc, seems that apple mail tries ECDHE first if fails its going to use RSA-AES128-SHA ) force soltution as tried ssl_cipher_list =

>From this change (res_rtp_asterisk): ast 13.10 to 13.11 webrtc JSSIP stop working, failing with chan_sip.c:4083 retrans_pkt: Hanging up call 7238b48c11581d4166b899bf747a05f7 at 130.211.62.184:0 - no reply to our critical packet (see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions). is there any way to configure to have the previous behaviour? Im trying to set

Am 02.12.2014 um 17:33 schrieb Darren Pilgrim: > On 12/2/2014 1:32 AM, Reindl Harald wrote: >>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH >>>> ssl_dh_parameters_length = 2048 >>>> ssl_parameters_regenerate = 0 >>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 >>> >>> But why does ssl_protocols behave

Hello, the attached patch for Dovecot 2.2.4 improves the logging to include information about the cipher suite used for a TLS connection. Here is an example log line: Aug 13 21:49:55 colwyn dovecot: imap-login: Login: user=<tron>, method=CRAM-MD5, rip=2001:8b0:114:1::2, lip=2001:8b0:114:1::2, mpid=10567, TLS=<TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)>,

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10

On Thu, December 18, 2014 00:31, Jake Shipton wrote: > > Hi Alex, > > In this situation 2.2.29 actually does offer an advantage over CentOS > version 2.2.15. > > The version provided by CentOS does not support Forward Secrecy for SSL > or TLS 1.2. > > Version 2.2.24+ of upstream Apache includes patches which enable both > Forward Secrecy and TLS 1.2. > > Now

I am interested in configuring Dovecot's TLS so as to retain forward secrecy, but eliminate all of NIST's elliptic curves. Besides being subject to side channel attacks [1], in some quarters there is a general distrust of NIST's curves and any of their other cryptographic primitives after the Dual EC DRBG debacle. >From what I can tell, the following will prevent the use of

"A. Schulze" writes: > David Mehler: > >> Second question, in the doveconf -n there's reference to my ssl_cipher >> am I using current tls ciphers that support pfs? > >> ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL > > some non pfs cipher would be still active. check yourself: > # openssl ciphers -v

Hi All First the essentials: dovecot --version: 2.2.15 /usr/local/etc/dovecot/conf.d/10-ssl.conf: ssl = required ssl_cert = </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list =

Quoting SW <dovecot at bsdpanic.com>: > Hi All > > First the essentials: > > dovecot --version: 2.2.15 > > /usr/local/etc/dovecot/conf.d/10-ssl.conf: > > ssl = required > > ssl_cert = > </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt > > ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key > > ssl_protocols =

Hi everyone, Prompted by the fact that addressing some of the recent SSL problems actually would benefit from also changing things on how openSSL is used (not just updating the library), I started looking into some improvements. The tracking ticket is: https://trac.xiph.org/ticket/2070 To sum it up: - hard disable SSLv3 - hard disable compression - new default cipher list - enable forward

Hi, is it possible to force the server cipher order instead of the clients preferences? When I connect with openssl using these ciphers: 'RC4-SHA:DHE-RSA-AES256-GCM-SHA384' -> RC4-SHA will be selected and with 'DHE-RSA-AES256-GCM-SHA384:RC4-SHA' -> DHE-RSA-AES256-GCM-SHA384 It seems to be recommended for webservers to override that due to bad clients choices and

Currently, dovecot generates two primes for Diffie-Hellman key exchanges: a 512-bit one and a 1024-bit one. In light of recent events, I think it would be wise to add support for 2048-bit primes as well, or even better, add a configuration option that lets the user select a file (or files) containing the DH parameters In recent years, there has been increased interest in DH especially in its

Hello again. Just thought I'd ask and see if it would be possible to get this sometime in the future: TLS and SSL connection information in a variable like %c today, but more exhaustive. For example I can from postfix get a log like: postfix/smtpd[432]: Anonymous TLS connection established from xxxxxx: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) This would be nice to see if you have

Please keep responses on the list. Thank you. =) Without ACL plugin there is no way to restrict access, it's free for all. my site is a very tiny few user site, but ... auth_mechanisms = login plain mail_attribute_dict = file:%h/Mail/dovecot-attributes mail_location = sdbox:~/Mail mail_plugins = stats quota fts fts_lucene namespace inbox { inbox = yes list = yes location = mailbox

Dear libvirt team, we a currently in a pci-dss certification process and our security scanner found weak ciphers in the vlc_tls service on our centos6 box: When I scan using sslscan I can see that sslv3 and rc4 is accepted: inf0rmix@tardis:~$ sslscan myhost:16514 | grep Accepted Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 128

Can you try turning mail_debug=yes and posting logs? Also if possible, can you try telnetting to the server and issuing a LOGIN username password a SELECT public/TestFolder1 with debug turned on? ACL plugin is needed *iff* you want to *restrict* access. Aki > On April 14, 2017 at 11:53 PM David Mehler <dave.mehler at gmail.com> wrote: > > > Hi Aki, > > Thanks for

> On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> wrote: > > > Thank You for answers. But: > 1. How should be properly configured ssl_cipher_list? ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH To disable non-EC DH, use: ssl_cipher_list =

Hi, I'd like to argue in favor of bug #877 ( https://bugzilla.mindrot.org/show_bug.cgi?id=877) from a new perspective. Instead of performance, I wish to raise the issue of regulatory compliance and auditing. I read all of #877 and I understand the arguments for and against, but I felt at the end the decisive comment by Damien was mostly based on 'We don't want users to use