On Wednesday, April 16, 2014 7:56:49 PM CEST, Mark Felder wrote:
Stunnel, however, gives you full control over your cipher suites.
In the sense that it gives you a variable to configure. I spent two hours learning the syntax and semantics, and did not feel that I was in full control afterwards. Maximilian's problem revolves around ECDH/DH vs. kEDH, and perhaps what's compiled in. I have reread the ciphers man page tonight, and I do not feel in control.
There's a long gap in time between Aox 3.1.3 and 3.2.0, which means for nearly 4 years end users had no control over this. I certainly agree that stunnel is not going to magically make all your security problems go away, but in certain cases it can help to shrink the scope of the damage possible (though possibly not very much for an IMAP server)
The two hours I spent was enough to learn a bit. I learned that googling for cipher advice gives conflicting and wrong advice. And I learned that people who've set ciphers in their configuration didn't update promptly after BEAST was known.
Arnt
