On 06/27/13 13:36 +0200, Vladislav Kurz wrote: >Hello all, > >recently I read an article about perfect forward secrecy, and so I have tried >all of our services to see what ciphers do they use. I have found that most of >them use DHE-RSA-AES256-SHA (which I suppose has PFS thanks to DH key >exchange), but Cyrus IMAPd (and POP3d) used only AES256-SHA. When I set my >client to use only DHE-RSA-AES256-SHA, connection was refused. > >So, is there anything I can do to enable DH key negotioation in imapd.conf? > >My tls options from imapd.conf are: > >tls_cert_file: /etc/ssl/certs/mail.crt >tls_key_file: /etc/ssl/private/mail.key >tls_ca_path: /etc/ssl/certs >tls_session_timeout: 1440 >tls_require_cert: false > >mail.crt contains also the whole certificate chain of public certificate >authority that issued my certificate. > >/etc/ssl/certs contains only a few certificates - one is the same as included >in mail.crt, and others belong to our govermental CA - some clients tried to >send them to the server to authenticate, even though authentication is only >password based. > >Somewhere I found a howto that suggested to add DH parameters to either cert >or key file (they used one for both), but it didn't work. Try setting tls_cipher_list. See imapd.conf(5) and ciphers(1). -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
