changing cipher for imap clients

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

changing cipher for imap clients

Dovecot mailing list
When my client connects, I see this in my log:

  dovecot:  imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128
bits)

Whereas, when client connects to my postfix server, I see:

  Anonymous TLS connection established from * TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)

how can I tell dovecot to use AES256, instead of AES128 ?

is this set by ssl_cipher_list ? Here are my current values (defaults)

# doveconf ssl_cipher_list
ssl_cipher_list =
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# dovecot --version
2.3.4.1

thanks,
Reply | Threaded
Open this post in threaded view
|

Re: changing cipher for imap clients

Dovecot mailing list

> On 28/10/2019 16:12 Fourhundred Thecat via dovecot <[hidden email]> wrote:
>
>  
> When my client connects, I see this in my log:
>
>   dovecot:  imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128
> bits)
>
> Whereas, when client connects to my postfix server, I see:
>
>   Anonymous TLS connection established from * TLSv1 with cipher
> ECDHE-RSA-AES256-SHA (256/256 bits)
>
> how can I tell dovecot to use AES256, instead of AES128 ?
>
> is this set by ssl_cipher_list ? Here are my current values (defaults)
>
> # doveconf ssl_cipher_list
> ssl_cipher_list =
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
>
> # dovecot --version
> 2.3.4.1
>
> thanks,

Perhaps your client does not support it?

Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used.

aki
Reply | Threaded
Open this post in threaded view
|

Re: changing cipher for imap clients

Dovecot mailing list
> On 2019-10-28 15:36, Aki Tuomi wrote:
> Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used.

setting ssl_prefer_server_ciphers=yes did the trick. Now my imap client
uses ECDHE-RSA-AES256-SHA

many thanks,
Reply | Threaded
Open this post in threaded view
|

Re: changing cipher for imap clients

Dovecot mailing list
In reply to this post by Dovecot mailing list
The funny thing is AES128 may be harder to break than AES256.

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

It had been a decade, so it would be interesting if Bruce Schneier has the same opinion.

I just use the defaults.





          Original Message  



From: [hidden email]
Sent: October 28, 2019 7:13 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: changing cipher for imap clients


When my client connects, I see this in my log:

  dovecot:  imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128
bits)

Whereas, when client connects to my postfix server, I see:

  Anonymous TLS connection established from * TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)

how can I tell dovecot to use AES256, instead of AES128 ?

is this set by ssl_cipher_list ? Here are my current values (defaults)

# doveconf ssl_cipher_list
ssl_cipher_list =
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# dovecot --version
2.3.4.1

thanks,
Reply | Threaded
Open this post in threaded view
|

Re: changing cipher for imap clients

Dovecot mailing list
In reply to this post by Dovecot mailing list
On 28 Oct 2019, at 08:45, Fourhundred Thecat <[hidden email]> wrote:
> setting ssl_prefer_server_ciphers=yes did the trick. Now my imap client
> uses ECDHE-RSA-AES256-SHA

Now go turn off TLSv1



--
At night when the bars close down
Brandy walks through a silent town
And loves a man who's not around