On 04.03.2015 18:53, Emmanuel Dreyfus wrote:
On Wed, Mar 04, 2015 at 06:36:07PM +0200, Adrian Minta wrote:
Thank you for the answer.
The "!EXPORT" part is included in "ECDH@STRENGTH:DH@STRENGTH:HIGH", or it
must be added as well ?
This is not the cipher list I sent. It was:
ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNUL
Mine does not contain any export cipher, yours does.
You can use openssl ciphers to compare cipher lists:
$ openssl ciphers EXPORT|tr ':' '\n' |sort > export
$ openssl ciphers ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL \
|tr ':' '\n' |sort> manu
$ openssl ciphers ECDH@STRENGTH:DH@STRENGTH:HIGH |tr ':' '\n' |sort > adrian
$ join export manu
(nothing)
$ join export adrian
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
I was using
HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 in apache.
You are using
ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL for dovecot.
I didn't know how to compare both settings. Now I know, and I see that
my "!EXPORT" part is covered by your "ECDH@STRENGTH:DH@STRENGTH:HIGH" part.
$openssl ciphers
HIGH:MEDIUM:\!aNULL:\!eNULL:\!EXPORT:\!CAMELLIA:\!DES:\!MD5:\!PSK:\!RC4
| tr ':' '\n' |sort > /tmp/adrian
$openssl ciphers
ECDH@STRENGTH:DH@STRENGTH:HIGH:\!RC4:\!MD5:\!DES:\!aNULL:\!eNULL | tr
':' '\n' |sort > /tmp/manu
$diff adrian manu
6a7,8
> CAMELLIA128-SHA
> CAMELLIA256-SHA
13a16,17
> DHE-DSS-CAMELLIA128-SHA
> DHE-DSS-CAMELLIA256-SHA
20a25,26
> DHE-RSA-CAMELLIA128-SHA
> DHE-RSA-CAMELLIA256-SHA
52c58,60
< SEED-SHA
---
> PSK-3DES-EDE-CBC-SHA
> PSK-AES128-CBC-SHA
> PSK-AES256-CBC-SHA
The main difference is the support for CAMELLIA and PSK. Unfortunately I
don't now enough to say if is good or bad to support any of those two.
Thank you !
--
Best regards,
Adrian Minta
