Hello,
to increase security of SSL I added some eliptic-curves-ciphers to the
chain. For HTTPS it’s working fine, but for the mail proxy it does not
work,
I only always get RC4-SHA instead of the ECDH ciphers.
See configuration at the end of this message.
I’m testing it with:
openssl s_client -cipher ‘ECDH:DH’ -connect domain.de:443
openssl s_client -cipher ‘ECDH:DH’ -connect imap.domain.de:993
The first command gives me a successful connection with
ECDHE-RSA-RC4-SHA,
so for HTTPS the cipherlist is used. The second command fails with an
error:
“sslv3 alert handshake failure”, the IMAPS server does not provide ECDH
support. I used exactly the same ssl_cipher line for HTTPS and the mail
proxy.
When using the following command without forcing any ciphers on the
client I
can see that RC4-SHA is the “best” cipher that is supported and used:
openssl s_client -connect imap.domain.de:993
Anybody has an idea where the problem is?
Thanks in advance
Michael
================
mail {
auth_http 127.0.0.1/mailauth.php;
proxy on;
starttls on; ## enable STARTTLS for all mail servers
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1 SSLv3;
ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
ssl_session_cache shared:TLSSL:16m;
ssl_session_timeout 10m;
ssl_certificate star_domain_de.crt;
ssl_certificate_key star_domain_de.key;
default, STARTTLS is appended because of starttls directive above
imap_capabilities “IMAP4rev1” “LITERAL+” “SASL-IR” “LOGIN-REFERRALS”
“ID”
“ENABLE” “IDLE” “NAMESPACE” “AUTH=LOGIN” “AUTH=DIGEST-MD5”
“AUTH=CRAM-MD5”;
pop3_capabilities “TOP” “USER”;
server {
ssl on;
listen [::]:993;
protocol imap;
server_name imap.domain.de;
proxy_pass_error_message on;
}
Posted at Nginx Forum: