On Fri, 22 May 2015 07:07:13 AM Sam Varshavchik wrote: > > openssl dhparam -out /etc/ssl/dhparam.pem 2048 > > mkdhparams already defaults to 2048 bit DH keys.
Right, good to know I can install courier first and just use it's dhparam.pem for nginx too. > > TLS_DHPARAMS=/etc/ssl/dhparam.pem > > TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" > > It's surprising that having SSLv3 in there makes MS-Windows client > refuse to connect to the server. I haven't found any definitive info from them stating they have dropped support for SSL3 and it only applies to a recently updated Windows 8.1 machine (to mitigate the POODLE attack I guess.) All I know is I found an old 768 bit dhparam.pem in use (could have been 3 or 4 years old) so some combination of 2048 bit certificate, 2048 bit DH key and removal of SSL3 started working for upgraded 8.1 clients. > But, if MS-Window is going to force everyone to finally drop SSL3, > that's fine. I'll drop it from the default configuration too. FWIW when I use ssllabs.com to test the same certificate via nginx it lists emulated OS/browsers that rely on SSL3... Android 2.3.7 IE 6 / XP IE 8 / XP Java 6/7/8 No great loss as everything else seems to work with TLS 1.0 or TLS 1.2. A possible solution for ancient XP users is to insist they use Thunderbird. ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
