Imapd and diffie hellman encryption
dwhite at olp.net
Thu Jun 27 09:30:46 EDT 2013
On 06/27/13 13:36 +0200, Vladislav Kurz wrote:
>recently I read an article about perfect forward secrecy, and so I have tried
>all of our services to see what ciphers do they use. I have found that most of
>them use DHE-RSA-AES256-SHA (which I suppose has PFS thanks to DH key
>exchange), but Cyrus IMAPd (and POP3d) used only AES256-SHA. When I set my
>client to use only DHE-RSA-AES256-SHA, connection was refused.
>So, is there anything I can do to enable DH key negotioation in imapd.conf?
>My tls options from imapd.conf are:
>mail.crt contains also the whole certificate chain of public certificate
>authority that issued my certificate.
>/etc/ssl/certs contains only a few certificates - one is the same as included
>in mail.crt, and others belong to our govermental CA - some clients tried to
>send them to the server to authenticate, even though authentication is only
>Somewhere I found a howto that suggested to add DH parameters to either cert
>or key file (they used one for both), but it didn't work.
Try setting tls_cipher_list. See imapd.conf(5) and ciphers(1).
More information about the Info-cyrus