All,I have applied, commited, and pushed, David's SSL DH options patch supplied privately.
Constructive comments welcome!
I am presently running the code from this last patch and the update
that I previously commited earlier today, and it appears to be working.
Evidence follows;
--- pre-changes from today - using /etc/c-config.cf
# These are the hard coded default values, but are show for completeness
set ssl-protocols -all +TLSV1
set ssl-cipher-list HIGH:!ADH:!EXP:!LOW:!SSLV2:!SSLV3
---
subject=/CN= --- redacted ---
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 2911 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: --- redacted ---
Session-ID-ctx:
Master-Key: --- redacted ---
Key-Arg : None
Start Time: 1491529991
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4REV1 I18NLEVEL=1 LITERAL+ SASL-IR LOGIN-REFERRALS
AUTH=PLAIN AUTH=LOGIN] cpe-67-10-173-141.satx.res.rr.com Panda IMAP 2010.417 at
Thu, 6 Apr 2017 20:53:11 -0500 (CDT)
* BYE Autologout (idle for too long)
read:errno=0
--- end ---
--- post changes from today - using /etc/c-config.cf
set ssl-protocols -all +TLSV1.1 +TLSV1.2
set ssl-cipher-list HIGH:!ADH:!EXP:!LOW:!SSLV2:!SSLV3
set ssl-dh-parameters /etc/mail/certs/dh.param
---
subject=/CN= --- redacted ---
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 4103 bytes and written 625 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: --- redacted ---
Session-ID-ctx:
Master-Key: --- redacted ---
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - --- redacted ---
Start Time: 1491528526
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4REV1 I18NLEVEL=1 LITERAL+ SASL-IR LOGIN-REFERRALS
AUTH=PLAIN AUTH=LOGIN] localhost Panda IMAP 2010.417 at Thu, 6 Apr 2017
20:28:46 -0500 (CDT)
* BYE Autologout (idle for too long)
read:errno=0
--- end ---
Regards
Neal Horman
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Imap-uw mailing list [email protected] http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
