Am 20.10.2013 01:58, schrieb Darren Pilgrim: > On 10/18/2013 5:32 AM, Reindl Harald wrote: >> Am 18.10.2013 14:22, schrieb Adi Kriegisch: >>>>> PS: I need that feature to enable PFS while allowing Outlook to still >>>>> connect and the others not to fall back to a different cipher; I was >>>>> unable to find a PFS cipher that is supported by Outlook and OpenSSL >>>> >>>> ssl_cipher_list = >>>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH >>>> >>>> ssl_prefer_server_ciphers = yes >>>> >>>> Outlook, at least on WinXP any version, continues to use RC4 ciphers >>>> but any sane mail client is using PFS ciphers >>> Thanks for sharing; I opted for disabling RC4 completely and came up with >>> the following (formatted for readability) >>> >>> HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256: >>> >>> EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA: >>> >>> +DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA: >>> !AES128:!CAMELLIA128: >>> !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:!RC4:!SEED: >>> +AES256-SHA >>> which disables every cipher with less than 256bit and leaves AES256-SHA as >>> a last resort for Outlook... >> >> this does *not work* with Outlook 2003-2010 on Windows XP > > It's not Outlook's fault. Office, IE, etc. all use stunnel which, on > XP/2003, is as outdated as OpenSSL 0.9.8. > > Enable 3DES to support XP clients
and how does that give you any gain over RC4? http://en.wikipedia.org/wiki/Triple_DES#Security http://en.wikipedia.org/wiki/RC4#Security >>> It is noteworthy, however, that RC4, being a stream cipher, is the only >>> common >>> cipher which is immune[9] to the 2011 BEAST attack on TLS 1.0, which >>> exploits a >>> known weakness in the way cipher block chaining mode is used with all of >>> the other >>> ciphers supported by TLS 1.0, which are all block ciphers why do you waste that much time? sane clients with the ciphers i provided use secure encryption without break XP users and more you can't do - period
signature.asc
Description: OpenPGP digital signature
