"A. Schulze" writes:
David Mehler:
Second question, in the doveconf -n there's reference to my ssl_cipher
am I using current tls ciphers that support pfs?
ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
some non pfs cipher would be still active. check yourself:
# openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH
You'll want the 'E' variation (ephemeral) of the DH algorithms, and
preferably, the ECDHE variety as they are faster and supported on more
browsers. The pattern to search for (or exclude) is "DHE"
openssl ciphers -v {cipher-specs} | grep DHE
If the OP wants preferentially use PFS ciphers (but keep the other
ciphers around for very old browsers), maybe something like
ssl_cipher_list = ECDH:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
finally you could use the service provided by ssllabs.com to scan your host.
I second this recommendation, if you can work out the port issue. Maybe using
a ncat | ncat pipe.
Joseph Tam <[email protected]>
