> "openssl dhparams" generates DH parameters. couriertls checks if the > certificate file contains DH parameters, and if so, they get loaded. > As you know, Courier reads both the private key and the certificate > from the same file. PEM-formatted files may have multiple contents, > like a private key and a certificate. And DH parameters. I wrote: > > "Use 'openssl dhparams" to generate a set of new DH parameters, and > append them to your certificate file, and see if it helps." > > Did you do that?
Sorry, I had not fully understood what I was supposed to do and got confused by the output of "openssl dhparams" (which because my terminal window was too small had omitted the "openssl:Error: 'dhparams' is an invalid command" at the top and I was under the impression that the list of "Cipher commands" was actually the output of this command and not just a general list of options displayed for a wrong parameter - my openssl knowledge barely goes beyond copy&paste) Searching for the dhparm syntax (without the s in the end) I found this excellent guide that even mentions courier specifically: https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/ Following this guide, I ran "openssl dhparam -out dhparams.pem 2048" and "cat dhparams.pem >> esmtpd.pem" and "/etc/init.d/courier restart" but nothing has changed. I then also tried it with a custom cipher list ("EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5" and I also tried "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL") but that didn't change things either with the new DH PARAMETERS section at the end of the PEM file . So it's still not working. Thank you very much for helping me jump through those hoops though! But I somehow doubt that many people would do that, even if it were documented and working. The excellent guide I linked to a few lines earlier says: > If you find any application which exhibits this problem, please file a > bug report and convince the maintainers to at least generate a warning > to the user and state the consequences in the documentation. If you > are a developer of an application which uses OpenSSL please consider > shipping install scripts that generate dhparams or generate them on > the fly if they are missing. Please do not just let OpenSSL silently > disable a key feature of SSL. While DHE/ECDGE do carry some performance penalty, according to: http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html it's only 15-27% for ECDHE (more for DHE). I would suggest that in the age of cheap multi-core CPUs (and in the age of a certain agency snooping through pretty much the entire internet traffic - at least from my european perspective) such a low performance penalty is not reason enough to make a not-as-secure SSL option the default. If even the official courier-mta.org MX server doesn't have this correctly enabled, I somehow doubt anyone else does... And somehow dovecot/postfix seem to manage to have this as default without generation special DH parameter files ? Gerald ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
