On Tue, 19 May 2015 10:07:32 AM Alessandro Vesely wrote: > > No, but admittedly just a cheap chained certificate... > > What's the key length? This article seems to imply it must be > >= 2048: > https://www.sophos.com/en-us/support/knowledgebase/122327.aspx
Thanks for this (and Sams) hint about an older certificate being at fault. It wasn't the first thing that occurred to because the cert had been working up until the W8.1 upgrade and still worked for all other clients. However, just installing a new 2048 bit certificate didn't fix our problem, it also required a 2048 bit DH key exchange and disabling SSL3 as well... openssl dhparam -out /etc/ssl/dhparam.pem 2048 and I modified these 2 settings in esmtpd and imapd... TLS_DHPARAMS=/etc/ssl/dhparam.pem TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" Getting the chained certificates in the right order for nginx and courier is yet another battle but that depends on the particular cert in use. ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
