Hi John,
On 2015-11-08 13:52, John Allen wrote:
I ran the ssl-tools tests on my mail server.
Everything seems to be OK, BUT it reports that i am using a weak
cipher "ECDHE_RSA_WITH_RC4_128_SHA"!
So I sat down and googled - postfix/dovecot/apache - ciphers
suites/recommendations less than one year old.
I gave up at about the fifteenth response. Everyone of them was
different and gave me lists of cipher ranging in length from about
eight to almost a full web page.
Would somebody point me in the right direction. I am trying to make my
installation secure, but manageable.
I am using Viktors recommendation from august 2015 here on the list,
see:
-> http://thread.gmane.org/gmane.mail.postfix.user/251935/focus=251935
The ssl-tools.net test warns about supported weak ciphers, namely
ECDHE_RSA_WITH_RC4_128_SHA as in your result, checking the mail log of
my small 6 users mailserver shows that in the last month 70 of nearly
16000 inbound tls connections used a RC4 cipher, the majority (48)
coming from Yahoo using TLSv1 ECDHE-RSA-RC4-SHA.
Testing with https://www.checktls.com the test selects the most used
(~13000 inbound connections) cipher my server offers TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384.
regards
christian
