Imapd and diffie hellman encryption
Vladislav Kurz
vladislav.kurz at webstep.net
Thu Jun 27 07:36:00 EDT 2013
Hello all,
recently I read an article about perfect forward secrecy, and so I have tried
all of our services to see what ciphers do they use. I have found that most of
them use DHE-RSA-AES256-SHA (which I suppose has PFS thanks to DH key
exchange), but Cyrus IMAPd (and POP3d) used only AES256-SHA. When I set my
client to use only DHE-RSA-AES256-SHA, connection was refused.
So, is there anything I can do to enable DH key negotioation in imapd.conf?
My tls options from imapd.conf are:
tls_cert_file: /etc/ssl/certs/mail.crt
tls_key_file: /etc/ssl/private/mail.key
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_require_cert: false
mail.crt contains also the whole certificate chain of public certificate
authority that issued my certificate.
/etc/ssl/certs contains only a few certificates - one is the same as included
in mail.crt, and others belong to our govermental CA - some clients tried to
send them to the server to authenticate, even though authentication is only
password based.
Somewhere I found a howto that suggested to add DH parameters to either cert
or key file (they used one for both), but it didn't work.
--
Best Regards
Vladislav Kurz
More information about the Info-cyrus
mailing list