similar to: FREAK/Logjam, and SSL protocols to use

Displaying 20 results from an estimated 4000 matches similar to: "FREAK/Logjam, and SSL protocols to use"

2015 May 27
2
FREAK/Logjam, and SSL protocols to use
Quoting Gedalya <gedalya at gedalya.net>: > On 05/26/2015 10:37 AM, Ron Leach wrote: >> https://weakdh.org/sysadmin.html >> >> includes altering DH parameters length to 2048, and re-specifying the >> allowable cipher suites - they give their suggestion. > > It looks like there is an error on this page regarding regeneration. In > current dovecots
2015 May 27
1
FREAK/Logjam, and SSL protocols to use
Quoting Gedalya <gedalya at gedalya.net>: > On 05/27/2015 09:55 AM, Rick Romero wrote: >> Quoting Gedalya <gedalya at gedalya.net>: >> >>> On 05/26/2015 10:37 AM, Ron Leach wrote: >>>> https://weakdh.org/sysadmin.html >>>> >>>> includes altering DH parameters length to 2048, and re-specifying the >>>> allowable
2015 May 27
1
FREAK/Logjam, and SSL protocols to use
On 27/05/2015 05:22, Gedalya wrote: > It looks like there is an error on this page regarding regeneration. > In current dovecots ssl_parameters_regenerate defaults to zero, and > this means regeneration is disabled. The old default was 168 hours (1 > week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the
2015 May 27
0
FREAK/Logjam, and SSL protocols to use
On 05/27/2015 09:55 AM, Rick Romero wrote: > Quoting Gedalya <gedalya at gedalya.net>: > >> On 05/26/2015 10:37 AM, Ron Leach wrote: >>> https://weakdh.org/sysadmin.html >>> >>> includes altering DH parameters length to 2048, and re-specifying the >>> allowable cipher suites - they give their suggestion. >> >> It looks like there
2015 May 27
0
FREAK/Logjam, and SSL protocols to use
On 05/26/2015 10:37 AM, Ron Leach wrote: > > https://weakdh.org/sysadmin.html > > includes altering DH parameters length to 2048, and re-specifying the > allowable cipher suites - they give their suggestion. It looks like there is an error on this page regarding regeneration. In current dovecots ssl_parameters_regenerate defaults to zero, and this means regeneration is
2015 May 27
1
FREAK/Logjam, and SSL protocols to use
>It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently. That's not really correct. If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else). It is computationally intensive to
2015 May 27
0
FREAK/Logjam, and SSL protocols to use
>But when you write NOT to regenerate, are you saying that using larger primes makes regenerating unnecessary, or are you telling us that it's somehow harmful? For a given computational effort, you get the most bang-for-the-buck by choosing large parameters (and checking very carefully that they are "safe") rather than smaller parameters (and/or checking them less carefully)
2015 May 27
0
FREAK/Logjam, and SSL protocols to use
> For a given computational effort, you get the most bang-for-the-buck by > choosing large parameters (and checking very carefully that they are > "safe") rather than smaller parameters (and/or checking them less > carefully) which you then regenerate. This discussion (on the OpenSSH mailing list) http://marc.info/?t=143221614200001 may be helpful to those thinking
2015 Nov 04
1
ssl-params: slow startup (patch for consideration)
Based on the recent found weaknesses in DH key exchange, http://weakdh.org/ I increased ssl_dh_parameters_length to 2048 bits, and found waited for 5+ minutes for dovecot to come back online after a restart. Unless you got a fast machine, the initialization of DH parameters can exceed your patience. Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if Dovecot uses old
2006 Jan 18
6
Major CPU spike for SSL parameters?
I went from a nightly of about 20051117 or so (about alpha4 generation) to 1.0beta1 yesterday, and dovecot is now spinning the CPU furiously apparently every ~10 minutes per: Jan 18 13:04:36 server dovecot: SSL parameters regeneration completed Jan 18 13:14:14 server dovecot: SSL parameters regeneration completed Jan 18 13:24:00 server dovecot: SSL parameters regeneration completed Jan 18
2015 May 23
2
Weak DH primes and openssh
> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be
2015 May 21
8
Weak DH primes and openssh
Hi, You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak. I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users? openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But
2014 Dec 02
2
disabling certain ciphers
Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I
2014 Dec 02
4
disabling certain ciphers
On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > >
2015 Mar 04
2
New FREAK SSL Attack CVE-2015-0204
Hello, about the CVE-2015-0204, in apache the following config seems to disable this vulnerability: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 Is something similar possible with dovecot ? If yes, what are the implications with old mail clients ? -- Best regards, Adrian Minta
2013 Nov 05
2
ssl-params regeneration with dovecot 2.2.7
Hello, after switching from version 2.2.7 to 2.2.7 I miss the loglines which say: ssl-params: Generating SSL parameters ssl-params: SSL parameters regeneration completed The configuration has not been changed and reads: | # 2.2.7: /usr/local/dovecot/etc/dovecot/dovecot.conf | # OS: Linux 2.6.35.14-106.fc14.i686.PAE i686 Fedora release 14 (Laughlin) ext3 | auth_mechanisms = plain login |
2014 Dec 02
2
disabling certain ciphers
On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a
2017 Mar 20
1
Deploying Diffie-Hellman for TLS
I have been reading up on TLS and Dovecot and came across this URL: https://www.weakdh.org/sysadmin.html which recommended these settings for Dovecot. I would like to know if they are correct? Some much documentation on the web is pure garbage. Dovecot These changes should be made in /etc/dovecot.conf Cipher Suites
2006 Jan 27
2
How to make pops
Hi, I use dovecot (pop) with gentoo but it's not securize. I would like to use pops but i don't how to do this. I think i have to use certificates... This my dovecot.conf : protocols = imap imaps pop3 pop3s imap_listen = * pop3_listen = * imaps_listen = * pop3s_listen = * ssl_disable = no login = imap login = pop3 default_mail_env = maildir:%h/.maildir mbox_locks = fcntl dotlock auth =
2015 May 23
1
Logjam ?
Hello, Does the recent Logjam[1] vulnerability affect Tinc? The security section of the Tinc website says: "Although tinc uses the OpenSSL library, it does not use the SSL protocol to establish connections between daemons" What would that mean, specifically, in regards to Logjam? Thank you for your time and for providing a great piece of VPN software! [1]