Welcome! Log In Create A New Profile

Advanced

ssl_cipher for mail not working

August 14, 2013 06:56AM
Hello,

to increase security of SSL I added some eliptic-curves-ciphers to the chain. For HTTPS it's working fine, but for the mail proxy it does not work, I only always get RC4-SHA instead of the ECDH ciphers.
See configuration at the end of this message.

I'm testing it with:
openssl s_client -cipher 'ECDH:DH' -connect domain.de:443
openssl s_client -cipher 'ECDH:DH' -connect imap.domain.de:993

The first command gives me a successful connection with ECDHE-RSA-RC4-SHA, so for HTTPS the cipherlist is used. The second command fails with an error: "sslv3 alert handshake failure", the IMAPS server does not provide ECDH support. I used exactly the same ssl_cipher line for HTTPS and the mail proxy.

When using the following command without forcing any ciphers on the client I can see that RC4-SHA is the "best" cipher that is supported and used:
openssl s_client -connect imap.domain.de:993

Anybody has an idea where the problem is?

Thanks in advance
Michael

================
mail {
auth_http 127.0.0.1/mailauth.php;

proxy on;
starttls on; ## enable STARTTLS for all mail servers

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1 SSLv3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
ssl_session_cache shared:TLSSL:16m;
ssl_session_timeout 10m;

ssl_certificate star_domain_de.crt;
ssl_certificate_key star_domain_de.key;

## default, STARTTLS is appended because of starttls directive above
imap_capabilities "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS" "ID" "ENABLE" "IDLE" "NAMESPACE" "AUTH=LOGIN" "AUTH=DIGEST-MD5" "AUTH=CRAM-MD5";
pop3_capabilities "TOP" "USER";

server {
ssl on;
listen [::]:993;
protocol imap;
server_name imap.domain.de;
proxy_pass_error_message on;
}
SubjectAuthorPosted

ssl_cipher for mail not working

MKlAugust 14, 2013 06:56AM

Re: ssl_cipher for mail not working

Maxim DouninAugust 18, 2013 07:24PM

Re: ssl_cipher for mail not working

MKlAugust 19, 2013 06:04AM

Re: ssl_cipher for mail not working

Maxim DouninAugust 19, 2013 06:58AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 58
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready