Imapd and diffie hellman encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello all,

recently I read an article about perfect forward secrecy, and so I have tried 
all of our services to see what ciphers do they use. I have found that most of 
them use DHE-RSA-AES256-SHA (which I suppose has PFS thanks to DH key 
exchange), but Cyrus IMAPd (and POP3d) used only AES256-SHA. When I set my 
client to use only DHE-RSA-AES256-SHA, connection was refused.

So, is there anything I can do to enable DH key negotioation in imapd.conf?

My tls options from imapd.conf are:

tls_cert_file: /etc/ssl/certs/mail.crt
tls_key_file: /etc/ssl/private/mail.key
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_require_cert: false

mail.crt contains also the whole certificate chain of public certificate 
authority that issued my certificate.

/etc/ssl/certs contains only a few certificates - one is the same as included 
in mail.crt, and others belong to our govermental CA - some clients tried to 
send them to the server to authenticate, even though authentication is only 
password based.

Somewhere I found a howto that suggested to add DH parameters to either cert 
or key file (they used one for both), but it didn't work.

-- 
Best Regards
	Vladislav Kurz
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux