Thanks. I found this list:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS on this page: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ I think I’m going to just go with his recommendations (and bookmark him for any future changes) since he seems to be on top of this issue. Kevin On Feb 7, 2014, at 4:31 AM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 07.02.2014 03:37, schrieb KT Walrus: >> I’m trying to set up SSL/TLS IMAP connections. >> >> What is the recommended cipher list to set tls_ciphers in dbmail.conf? >> >> I copied a cipher list from some random example I found on the web, and it >> does work, but I don’t really understand what is the best list to use > > in that case honestly you better don't touch defaults because your changes > will > most likely never get reviwed while defaults may change to better ones > no idea if dbmail implements SSLHonorCipherOrder because i have dovecot in > front > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2 > > the above list works on Apache and Dovecot leading to the following cipher > order > and yes you want to perfer AES-128 because your RSA key most likely is even > too > small for AES-128 which needs 3072 Bit and there are existing theoretical > attacks > against AES-256 not affecting AES-128 > > https://www.ssllabs.com/ssltest/ on a webserver > Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites > where used) > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits > RSA) FS 128 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits > RSA) FS 256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits (p: 512, g: 1, Ys: > 512) FS 128 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits (p: 512, g: 1, Ys: > 512) FS 256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits > RSA) FS 128 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits > RSA) FS 256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) > FS 128 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) > FS 256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 4096 bits (p: 512, g: 1, Ys: > 512) FS 128 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits (p: 512, g: 1, Ys: > 512) FS 256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 4096 bits (p: 512, g: 1, Ys: 512) > FS 128 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 4096 bits (p: 512, g: 1, Ys: 512) > FS 256 > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 4096 bits (p: 512, g: 1, Ys: > 512) FS 128 > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 4096 bits (p: 512, g: 1, Ys: > 512) FS 256 > TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 > TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128 > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256 > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits > RSA) FS 112 > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) > > > _______________________________________________ > DBmail mailing list > DBmail@dbmail.org > http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
_______________________________________________ DBmail mailing list DBmail@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
