Am 11.03.2014 14:43, schrieb Andreas Bauer:
Does Perdition support TLS Version 1.1. and 1.2 for
imaps?
Our installation does it, according to a test with
ssllabs.com.
I tested perdition 1.19-rc5, which is included in
Debian 7.4.
We use perdition 1.19~rc5-1+b1 on Debian 7.4
It also includes "OpenSSL 1.0.1e 11 Feb 2013“
which does support it.
libssl is 1.0.1e-2+deb7u4 here
When scanning with „sslscan localhost:993“, I don’t
get any matching
cipher, even if I’ve added them to the „ssl_listen_ciphers“ like this:
ssl_listen_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW
!3DES !MD5 !EXP !PSK !SRP !DSS“
ssl_listen_ciphers
"!SSLv2:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:-MD5:!EXP:!PSK:!DSS:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA:RC4+RSA"
For testing the TLS handshake (forcing TLS 1.2), you can also use
openssl s_client -host localhost -port 993 -tls1_2
and
openssl s_client -host localhost -port 143 -tls1_2 -starttls imap
But looking on your ciphers it seems you are eager on Forward Secrecy,
which is independent of the TLS version - that doesn't seem to be
supported by perdition right now.
Also note that we reenabled MD5-based ciphers because users with Windows
Mobile based phones couldn't establish secure connections.
Regards