Welcome! Log In Create A New Profile


ssl_cipher for mail not working

August 14, 2013 06:56AM

to increase security of SSL I added some eliptic-curves-ciphers to the chain. For HTTPS it's working fine, but for the mail proxy it does not work, I only always get RC4-SHA instead of the ECDH ciphers.
See configuration at the end of this message.

I'm testing it with:
openssl s_client -cipher 'ECDH:DH' -connect domain.de:443
openssl s_client -cipher 'ECDH:DH' -connect imap.domain.de:993

The first command gives me a successful connection with ECDHE-RSA-RC4-SHA, so for HTTPS the cipherlist is used. The second command fails with an error: "sslv3 alert handshake failure", the IMAPS server does not provide ECDH support. I used exactly the same ssl_cipher line for HTTPS and the mail proxy.

When using the following command without forcing any ciphers on the client I can see that RC4-SHA is the "best" cipher that is supported and used:
openssl s_client -connect imap.domain.de:993

Anybody has an idea where the problem is?

Thanks in advance

mail {

proxy on;
starttls on; ## enable STARTTLS for all mail servers

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1 SSLv3;
ssl_session_cache shared:TLSSL:16m;
ssl_session_timeout 10m;

ssl_certificate star_domain_de.crt;
ssl_certificate_key star_domain_de.key;

## default, STARTTLS is appended because of starttls directive above
pop3_capabilities "TOP" "USER";

server {
ssl on;
listen [::]:993;
protocol imap;
server_name imap.domain.de;
proxy_pass_error_message on;

ssl_cipher for mail not working

MKlAugust 14, 2013 06:56AM

Re: ssl_cipher for mail not working

Maxim DouninAugust 18, 2013 07:24PM

Re: ssl_cipher for mail not working

MKlAugust 19, 2013 06:04AM

Re: ssl_cipher for mail not working

Maxim DouninAugust 19, 2013 06:58AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 79
Record Number of Users: 5 on August 04, 2015
Record Number of Guests: 244 on October 02, 2015
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready