ssl_cipher for mail not working

Maxim Dounin mdounin at mdounin.ru
Sun Aug 18 23:21:58 UTC 2013


Hello!

On Wed, Aug 14, 2013 at 06:56:32AM -0400, MKl wrote:

> Hello,
> 
> to increase security of SSL I added some eliptic-curves-ciphers to the
> chain. For HTTPS it's working fine, but for the mail proxy it does not work,
> I only always get RC4-SHA instead of the ECDH ciphers.
> See configuration at the end of this message.
> 
> I'm testing it with:
> openssl s_client -cipher 'ECDH:DH' -connect domain.de:443
> openssl s_client -cipher 'ECDH:DH' -connect imap.domain.de:993
> 
> The first command gives me a successful connection with ECDHE-RSA-RC4-SHA,
> so for HTTPS the cipherlist is used. The second command fails with an error:
> "sslv3 alert handshake failure", the IMAPS server does not provide ECDH
> support. I used exactly the same ssl_cipher line for HTTPS and the mail
> proxy.
> 
> When using the following command without forcing any ciphers on the client I
> can see that RC4-SHA is the "best" cipher that is supported and used:
> openssl s_client -connect imap.domain.de:993
> 
> Anybody has an idea where the problem is?

Looks like the problem fixed by this changeset:

http://trac.nginx.org/nginx/changeset/32fe021911c9/nginx

Should work fine in nginx 1.5.1+.

[...]

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list