ssl_cipher for mail not working
Maxim Dounin
mdounin at mdounin.ru
Sun Aug 18 23:21:58 UTC 2013
Hello!
On Wed, Aug 14, 2013 at 06:56:32AM -0400, MKl wrote:
> Hello,
>
> to increase security of SSL I added some eliptic-curves-ciphers to the
> chain. For HTTPS it's working fine, but for the mail proxy it does not work,
> I only always get RC4-SHA instead of the ECDH ciphers.
> See configuration at the end of this message.
>
> I'm testing it with:
> openssl s_client -cipher 'ECDH:DH' -connect domain.de:443
> openssl s_client -cipher 'ECDH:DH' -connect imap.domain.de:993
>
> The first command gives me a successful connection with ECDHE-RSA-RC4-SHA,
> so for HTTPS the cipherlist is used. The second command fails with an error:
> "sslv3 alert handshake failure", the IMAPS server does not provide ECDH
> support. I used exactly the same ssl_cipher line for HTTPS and the mail
> proxy.
>
> When using the following command without forcing any ciphers on the client I
> can see that RC4-SHA is the "best" cipher that is supported and used:
> openssl s_client -connect imap.domain.de:993
>
> Anybody has an idea where the problem is?
Looks like the problem fixed by this changeset:
http://trac.nginx.org/nginx/changeset/32fe021911c9/nginx
Should work fine in nginx 1.5.1+.
[...]
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list