Forum: NGINX ssl_cipher for mail not working

2974d09ac2541e892966b762aad84943?d=identicon&s=25 MKl (Guest)
on 2013-08-14 12:57
(Received via mailing list)
Hello,

to increase security of SSL I added some eliptic-curves-ciphers to the
chain. For HTTPS it's working fine, but for the mail proxy it does not
work,
I only always get RC4-SHA instead of the ECDH ciphers.
See configuration at the end of this message.

I'm testing it with:
openssl s_client -cipher 'ECDH:DH' -connect domain.de:443
openssl s_client -cipher 'ECDH:DH' -connect imap.domain.de:993

The first command gives me a successful connection with
ECDHE-RSA-RC4-SHA,
so for HTTPS the cipherlist is used. The second command fails with an
error:
"sslv3 alert handshake failure", the IMAPS server does not provide ECDH
support. I used exactly the same ssl_cipher line for HTTPS and the mail
proxy.

When using the following command without forcing any ciphers on the
client I
can see that RC4-SHA is the "best" cipher that is supported and used:
openssl s_client -connect imap.domain.de:993

Anybody has an idea where the problem is?

Thanks in advance
Michael

================
mail {
  auth_http  127.0.0.1/mailauth.php;

  proxy     on;
  starttls  on; ## enable STARTTLS for all mail servers

  ssl_prefer_server_ciphers  on;
  ssl_protocols              TLSv1.1 TLSv1.2 TLSv1 SSLv3;
  ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
  ssl_session_cache          shared:TLSSL:16m;
  ssl_session_timeout        10m;

  ssl_certificate            star_domain_de.crt;
  ssl_certificate_key        star_domain_de.key;

  ## default, STARTTLS is appended because of starttls directive above
  imap_capabilities  "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS"
"ID"
"ENABLE" "IDLE" "NAMESPACE" "AUTH=LOGIN" "AUTH=DIGEST-MD5"
"AUTH=CRAM-MD5";
  pop3_capabilities  "TOP"  "USER";

  server {
    ssl          on;
    listen       [::]:993;
    protocol     imap;
    server_name  imap.domain.de;
    proxy_pass_error_message       on;
  }

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241834,241834#msg-241834
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-08-19 01:22
(Received via mailing list)
Hello!

On Wed, Aug 14, 2013 at 06:56:32AM -0400, MKl wrote:

>
> Anybody has an idea where the problem is?
Looks like the problem fixed by this changeset:

http://trac.nginx.org/nginx/changeset/32fe021911c9/nginx

Should work fine in nginx 1.5.1+.

[...]

--
Maxim Dounin
http://nginx.org/en/donation.html
2974d09ac2541e892966b762aad84943?d=identicon&s=25 MKl (Guest)
on 2013-08-19 12:05
(Received via mailing list)
Maxim Dounin Wrote:
-------------------------------------------------------
> Looks like the problem fixed by this changeset:
>
> http://trac.nginx.org/nginx/changeset/32fe021911c9/nginx
>
> Should work fine in nginx 1.5.1+.

Hi Maxim,

thanks for your answer! I will try this later.
Will this also be merged into 1.4 or even 1.2 branch? Because it's a
bugfix
and not a new feature?
Currently we have the problem that the upload-module and
upload-progress-module are not working with >=1.4, so we are still on
1.2
branch.

Thank you again for your help and work on nginx!
Michael

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241834,242014#msg-242014
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-08-19 12:57
(Received via mailing list)
Hello!

On Mon, Aug 19, 2013 at 06:04:49AM -0400, MKl wrote:

> thanks for your answer! I will try this later.
> Will this also be merged into 1.4 or even 1.2 branch? Because it's a bugfix
> and not a new feature?

Certainly not into 1.2.x, it's obsolete.  Most likely not into
1.4.x as it's never worked in previous versions.

--
Maxim Dounin
http://nginx.org/en/donation.html
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.