11 Mar
2014
11 Mar
'14
1:43 p.m.
Hi all,
I was searching the web and the mailing list, but couldn’t find an answer on this
question:
Does Perdition support TLS Version 1.1. and 1.2 for imaps?
I tested perdition 1.19-rc5, which is included in Debian 7.4.
It also includes "OpenSSL 1.0.1e 11 Feb 2013“ which does support it.
When scanning with „sslscan localhost:993“, I don’t get any matching cipher, even if I’ve
added them to the „ssl_listen_ciphers“ like this:
ssl_listen_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4
!aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS“
Thanks for your help!
Cheers
Andreas
11 Mar
11 Mar
2:30 p.m.
Am 11.03.2014 14:43, schrieb Andreas Bauer:
Does Perdition support TLS Version 1.1. and 1.2 for
imaps?
Our installation does it, according to a test with ssllabs.com.
I tested perdition 1.19-rc5, which is included in
Debian 7.4.
We use perdition 1.19~rc5-1+b1 on Debian 7.4
It also includes "OpenSSL 1.0.1e 11 Feb 2013“
which does support it.
libssl is 1.0.1e-2+deb7u4 here
When scanning with „sslscan localhost:993“, I don’t
get any matching
cipher, even if I’ve added them to the „ssl_listen_ciphers“ like this:
ssl_listen_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW
!3DES !MD5 !EXP !PSK !SRP !DSS“
ssl_listen_ciphers
"!SSLv2:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:-MD5:!EXP:!PSK:!DSS:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA:RC4+RSA"
For testing the TLS handshake (forcing TLS 1.2), you can also use
openssl s_client -host localhost -port 993 -tls1_2
and
openssl s_client -host localhost -port 143 -tls1_2 -starttls imap
But looking on your ciphers it seems you are eager on Forward Secrecy,
which is independent of the TLS version - that doesn't seem to be
supported by perdition right now.
Also note that we reenabled MD5-based ciphers because users with Windows
Mobile based phones couldn't establish secure connections.
Regards
2:35 p.m.
On 03/11/2014 10:30 AM, Matthias Hunstock wrote:
But looking on your ciphers it seems you are eager on
Forward Secrecy,
which is independent of the TLS version - that doesn't seem to be
supported by perdition right now.
PFS for perdition has been discussed on-list recently by simon and
myself, but i don't think it's integrated upstream at the moment.
a patch is available for those who want it at:
http://lists.vergenet.net/pipermail/perdition-users/2013-October/002669.html
I can happily say that the patch works and i'm using it in production to
provide PFS for IMAP/POP gateways.
Also note that we reenabled MD5-based ciphers because
users with Windows
Mobile based phones couldn't establish secure connections.
interesting. is there published documentation of this limitation of
Windows Mobile?
--dkg
2:41 p.m.
Am 11.03.2014 15:35, schrieb Daniel Kahn Gillmor:
> Also note that we reenabled MD5-based ciphers
because users with Windows
> Mobile based phones couldn't establish secure connections.
interesting. is there published documentation of this
limitation of
Windows Mobile?
Didn't find anything back then (January I think), we solved it by
capturing the handshake with tcpdump and looking at the ciphers offered
by the client (phone). The strongest cipher was something like
RSA-AES128-MD5, all of them were using MD5.
Regards
Matthias
12 Mar
12 Mar
2:40 p.m.
Dear Daniel,
dear Matthias,
thank you both for your very valuable Postings!
I really appreciate it!
Actually I worked through the cipher list you sent, using it now in our production
environment. MD5 is disabled, because we don’t have Windows Mobile at the moment.
Hopefully you EDH and EECDH patch will make it into upstream, then I will rework the
cipher list once again :)
Best regards
Andreas
Am 11.03.2014 um 15:41 schrieb Matthias Hunstock <matthias.hunstock(a)tu-ilmenau.de>de>:
Am 11.03.2014 15:35, schrieb Daniel Kahn Gillmor:
> Also note that we reenabled MD5-based ciphers
because users with Windows
> Mobile based phones couldn't establish secure connections.
interesting. is there published documentation of
this limitation of
Windows Mobile?
Didn't find anything back then (January I think), we solved it by
capturing the handshake with tcpdump and looking at the ciphers offered
by the client (phone). The strongest cipher was something like
RSA-AES128-MD5, all of them were using MD5.
Regards
Matthias
______________________________________________
Perdition-users mailing list
Perdition-users(a)vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
3706
days inactive
3707
days old
4 comments
3 participants
participants (3)
-
Andreas Bauer -
Daniel Kahn Gillmor -
Matthias Hunstock