Thanks for the quick reply! On 20.08.2013 01:34, Sam Varshavchik wrote: > I do not see the connection between "PFS" and these two specific key > exchange protocols. > > "PFS" is just a generic concept, not tied to any particular technology. To my knowledge the ciphers starting with DHE and ECDHE are the only ones implementing this type of key echange. When reading articles on this topic (there are quite a few), those are always the ones mentioned that you should have and look for.
I don't think there are any other key exchange protocols in openssl besides those two that implement this. > In addition to TLS_CIPHER_LIST, the list of available ciphers also > depends on your certificate file. Except I've got exactly the SAME certificate file in my dovecot configuration and connecting to the dovecot ports works with DHE/ECDHE. Courier: Protocol : TLSv1.2 / Cipher : AES256-GCM-SHA384 Dovecot: Protocol : TLSv1.2 / Cipher : DHE-RSA-AES256-GCM-SHA384 On another server I've got a very similiar certificate file (from the same CA, just for a different domain) in use on Postfix for SMTP (where PFS works with STARTTLS) and in Zarafa (a Linux Exchange replacement) where PFS doesn't work. So on this other system also the server software also determines what gets used and not the certificate. > I don't recall offhand if you are required to use a DH certificate, > instead of an RSA certificate, or if having DH parameters is sufficient. > Use 'openssl dhparams" to generate a set of new DH parameters, and > append them to your certificate file, and see if it helps. If not, try > creating a new DH certificate. dhparams doesn't list anything containing DHE or ECDHE. I don't think it has anything to do with the certificate file. No article I've read on this ever mentioned that this depends on the certificate file. Do you know of any courier servers where "openssl s_client -connect domain.net:465" (probably also the same for IMAPS and POP3S ports) shows that a connection was made using "Cipher: " that starts with DHE or ECDHE? I would seriously doubt that such a thing does exist :-) openssl s_client -starttls smtp -connect mailx.courier-mta.com:25 => Protocol : TLSv1.2 / Cipher : AES256-GCM-SHA384 => No DHE/ECDHE capability on the MX for courier-mta.org ! Gerald ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
