Syndicate
Site (RSS, Atom)
Contact
Weblog status
Total entries: 50
Last entry: 2016-10-17 22:22:03
Last updated: 2016-10-18 07:57:57
powered by vim, bash, cat, grep, sed, and nb 3.4.2

2016-03-06 21:07:05

Enhanced encryption for dovecot on RHEL/CentOS 5

Red Hat's rpm package dovecot is the old version 1.0.7 which is missing modern cryptography and has (on RHEL 5) also the disadvantage that it is linked against OpenSSL 0.98.

The tuxad repo for RHEL 5 / CentOS 5 contains a patched version of Red Hat's dovecot:

  • linked against tuxad repo's openssl1 package
  • DH params increased to 2048 bits
  • enabled EC cryptography
  • refreshable /etc/dovecot.dh_params file

If you use an ssl_cipher_list like i.e.

[frankb@treferpol tuxad]$ grep ^ssl_cipher_list \
  /etc/dovecot.conf

ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256: \
  ECDHE-ECDSA-AES256-GCM-SHA384: \
  ECDHE-RSA-AES128-GCM-SHA256: \
  ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256: \
  DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256: \
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256: \
  ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256: \
  DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA: \
  ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA: \
  ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA: \
  DHE-RSA-AES256-SHA:ALL:!aNULL:!ADH:!3DES:!EXP:!RC4: \
  !kRSA:!kKRB5:!aDSS:!DES:!aPSK:!kECDH

then you will get with ssltest.sh (Download) these results:

$ SSLCipherSuite=ALL ssltest.sh 127.0.0.1 993 
Testing: 81.89.239.233 993 ALL
Testing protocols:
SSLv2: NO
SSLv3: NO
TLSv1: YES
TLSv1.1: YES
TLSv1.2: YES
Testing ciphers using protocol TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AESGCM(256) Mac=AEAD TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AES(256) Mac=SHA384 TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) \
  Mac=SHA1 TempKey: ECDH, secp521r1, 521 bits
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc= \
  AESGCM(256) Mac=AEAD TempKey: DH, 2048 bits
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) \
  Mac=SHA256 TempKey: DH, 2048 bits
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA \
  Enc=Camellia(256) Mac=SHA1 TempKey: DH, 2048 bits
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AESGCM(128) Mac=AEAD TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AES(128) Mac=SHA256 TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) \
  Mac=SHA1 TempKey: ECDH, secp521r1, 521 bits
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc= \
  AESGCM(128) Mac=AEAD TempKey: DH, 2048 bits
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) \
  Mac=SHA256 TempKey: DH, 2048 bits
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA \
  Enc=Camellia(128) Mac=SHA1 TempKey: DH, 2048 bits

Because dovecot and other daemons are excluded by default in tuxad repo to get these packages by default from Red Hat you must use this command to install tuxad dovecot:

yum install --disableexcludes=all \
  --disablerepo=* --enablerepo=tuxad dovecot

Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl