G'day Maxim > G'day Maxim,
> Tuesday, June 5, 2018, 10:20:31 PM, you wrote: >> What's new in 8.3.0.26 since 8.3.0.25: >> [+] TLS 1.2 (but ECDHE is not yet supported) > TLS 1.2 works for me on Mdaemon 18 > Wed 2018-06-06 07:58:57.947: Accepting IMAP connection from x.x.x.:XXXX to > x.x.x.x:993 > Wed 2018-06-06 07:58:57.969: SSL negotiation successful (TLS 1.2, 255 bit key > exchange, 256 bit AES encryption) > Wed 2018-06-06 07:58:57.969: --> * OK embassy.klingon-embassy.co.za IMAP4rev1 > MDaemon 18.0.2b ready This is what my mailserver gives, but with success. ./analyze.pl -v 3 --all-ciphers mail.tinyhunter.de:993 + checking host=mail.tinyhunter.de(213.160.42.164 2001:470:1f13:108d::64) port=993 * version SSLv23 no verification, ciphers= -> TLSv1_2,ECDHE-RSA-AES256-GCM-SHA384 * version SSLv23 no verification, ciphers=HIGH:ALL -> TLSv1_2,ECDHE-RSA-AES256-GCM-SHA384 * version TLSv1_2 no verification, ciphers= -> TLSv1_2,ECDHE-RSA-AES256-GCM-SHA384 * version TLSv1_2 no verification, ciphers=HIGH:ALL -> TLSv1_2,ECDHE-RSA-AES256-GCM-SHA384 * version TLSv1_1 no verification, ciphers= -> TLSv1_1,ECDHE-RSA-AES256-SHA * version TLSv1_1 no verification, ciphers=HIGH:ALL -> TLSv1_1,ECDHE-RSA-AES256-SHA * version TLSv1 no verification, ciphers= -> TLSv1,ECDHE-RSA-AES256-SHA * version TLSv1 no verification, ciphers=HIGH:ALL -> TLSv1,ECDHE-RSA-AES256-SHA + successful connect with TLSv1_2, cipher=ECDHE-RSA-AES256-SHA, sni=mail.tinyhunter.de and no other TLS extensions + SNI success * same certificate chain in without SNI + certificate verify success + OCSP stapling: got stapled response <3> need to send 120 bytes OCSP request to http://status.rapidssl.com <3> need to send 120 bytes OCSP request to http://ocsp.digicert.com + all certificates verified + same results for SSL upgrade on 2001:470:1f13:108d::64 compared to 213.160.42.164 * connect with version TLSv1_2 cipher ECDHE-RSA-AES256-GCM-SHA384 * connect with version TLSv1_2 cipher ECDHE-RSA-AES128-GCM-SHA256 * connect with version TLSv1_2 cipher ECDHE-RSA-AES256-SHA384 * connect with version TLSv1_2 cipher ECDHE-RSA-AES128-SHA256 * connect with version TLSv1_2 cipher ECDHE-RSA-AES256-SHA * connect with version TLSv1_2 cipher ECDHE-RSA-AES128-SHA * connect with version TLSv1_2 cipher AES256-GCM-SHA384 * connect with version TLSv1_2 cipher AES128-GCM-SHA256 * connect with version TLSv1_2 cipher AES256-SHA256 * connect with version TLSv1_2 cipher AES128-SHA256 * connect with version TLSv1_2 cipher AES256-SHA * connect with version TLSv1_2 cipher AES128-SHA * connect with version TLSv1_2 cipher DHE-RSA-AES256-GCM-SHA384 * connect with version TLSv1_2 cipher DHE-RSA-AES128-GCM-SHA256 * connect with version TLSv1_2 cipher DHE-RSA-AES256-SHA * connect with version TLSv1_2 cipher DHE-RSA-AES128-SHA <3> handshake failed with HIGH:ALL:eNULL:!ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA: SSL connect attempt failed <3> tried with cipher list 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:HIGH:ALL' -> ECDHE-RSA-AES256-GCM-SHA384 <3> tried with cipher list 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:HIGH:ALL' -> ECDHE-RSA-AES256-GCM-SHA384 * server decides cipher order -- mail.tinyhunter.de port 993 * maximum SSL version : TLSv1_2 (SSLv23) * supported SSL versions with handshake used and preferred cipher(s): * handshake protocols ciphers * SSLv23 TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 * TLSv1_2 TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 * TLSv1_1 TLSv1_1 ECDHE-RSA-AES256-SHA * TLSv1 TLSv1 ECDHE-RSA-AES256-SHA * cipher order by : server * SNI supported : ok * certificate verified : ok * chain on 213.160.42.164 * [0/0] bits=2048, ocsp_uri=http://status.rapidssl.com, /CN=mail.tinyhunter.de SAN=DNS:mail.tinyhunter.de * [1/1] bits=2048, ocsp_uri=http://ocsp.digicert.com, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018 * [-/2] bits=2048, ocsp_uri=, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA * OCSP stapling : got stapled response * OCSP status : good * supported ciphers with SSLv23 handshake * TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 * TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 * TLSv1_2 ECDHE-RSA-AES256-SHA384 * TLSv1_2 ECDHE-RSA-AES128-SHA256 * TLSv1_2 ECDHE-RSA-AES256-SHA * TLSv1_2 ECDHE-RSA-AES128-SHA * TLSv1_2 AES256-GCM-SHA384 * TLSv1_2 AES128-GCM-SHA256 * TLSv1_2 AES256-SHA256 * TLSv1_2 AES128-SHA256 * TLSv1_2 AES256-SHA * TLSv1_2 AES128-SHA * TLSv1_2 DHE-RSA-AES256-GCM-SHA384 * TLSv1_2 DHE-RSA-AES128-GCM-SHA256 * TLSv1_2 DHE-RSA-AES256-SHA * TLSv1_2 DHE-RSA-AES128-SHA cheers Marcus ________________________________________________________ Current beta is 8.3.0.26 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
