David B Funk wrote:
sslProtocols = cpystr("ALL -SSLv2 -SSLv3"); /* default protocols */
sslCipherList = cpystr("ALL:!SSLv2:!ADH:!EXP:!LOW:!MD5:@STRENGTH"); /*
default cipher list */
I tweaked the defaults, although I didn't followed your's suggestion
exactly (ALL:!LOW:!ADH:!aDSS:!EXP:!MD5:@STRENGTH).
This evening I threw together the actual DHparameter implementation.
Well, it seems only Panda code will merge changes.
For those using UW, like me, I will continue to maintain patch. I added
support for DH and ECDH.
Thus my Imap now connects with ECDHE-RSA-AES256-GCM-SHA384
The patch is available here:
http://www.freebsd.cz/~dan/patch-DAN-SETSSL
note it replace patch-DAN-SETSSLCIPHER
Changes against patch-DAN-SETSSLCIPHER:
support for DH and ECDH
new configuration option
set dh-parameters <filename>
Short description of behavior:
Attempt to read DH Parameters from (first win)
1. <filename>
2. SSL_CERT_DIRECTORY/dhparam.pem
3. file with server's certificate
Attempt to read ECDH Parameters from (first win)
1. <filename>
2. SSL_CERT_DIRECTORY/dhparam.pem
3. file with server's certificate
4. embedded NID_X9_62_prime256v1
Note that patch has not been tested so much yet (it's about 6am here,
I'm going to sleep).
Dan
Neal Horman wrote:
I have already applied the "ssl cipher and protocol options patch"
from http://www.freebsd.cz/~dan/patch-DAN-SETSSLCIPHER to my panda
fork at
I'm the author of such patch.
It implements the
set ssl-cipher-list
set ssl-protocols
options (with same syntax as Apache's directives).
Note I updated the patch in question to support TLSv1.1 and TLSv1.2 as
well, so if you use it you may consider to update.
I have plan to add set dh-parameters referring the file with DH Group
data, but it's not completed yet.
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
