Perfect Forward Secrecy Support Poll

This forum contains features that has been archived. This section contains implemented features, duplicate requests, and requests which we have decided not to implement.
Post Reply

Perfect Forward Secrecy support for HMailserver?

Urgently
6
60%
Yes
4
40%
No
0
No votes
 
Total votes: 10

linuxcrash
New user
New user
Posts: 8
Joined: 2010-10-29 15:44

Perfect Forward Secrecy Support Poll

Post by linuxcrash » 2013-11-25 16:44

Perfect Forward Secrecy

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Perfect Forward Secrecy Support Poll

Post by percepts » 2013-11-25 18:24

linuxcrash wrote:Perfect Forward Secrecy
I think you need to state your case since many including me know nothing of PFS

linuxcrash
New user
New user
Posts: 8
Joined: 2010-10-29 15:44

Re: Perfect Forward Secrecy Support Poll

Post by linuxcrash » 2013-11-26 12:05

Sorry for missing information... Here are some Links and information about this:

Article about Twitter:
http://yro.slashdot.org/story/13/11/24/ ... onnections

PFS Description:
https://en.wikipedia.org/wiki/Forward_secrecy

Wired Article including Google,Facebook and Yahoo:
http://www.wired.co.uk/news/archive/201 ... encryption

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Perfect Forward Secrecy Support Poll

Post by percepts » 2013-11-26 12:20

are there any RFCs ?

linuxcrash
New user
New user
Posts: 8
Joined: 2010-10-29 15:44

Re: Perfect Forward Secrecy Support Poll

Post by linuxcrash » 2013-11-26 12:35

Not sure if these are the correct ones but thats what I found in regards to TLS:

TLS 1.2 RFC:
https://tools.ietf.org/html/rfc5246#section-8.1.2

Additional RFCs
RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.
RFC 5289: “TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)”.
https://tools.ietf.org/html/rfc2412

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Perfect Forward Secrecy Support Poll

Post by percepts » 2013-11-26 12:57

Thre is already a feature request POLL for TLS

http://www.hmailserver.com/forum/viewto ... =2&t=15500

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Perfect Forward Secrecy Support Poll

Post by Bill48105 » 2014-02-02 07:03

I responded to prisma regarding "Enforcing diffie-hellman-keyexchange within SSL-handshake"
http://www.hmailserver.com/forum/viewto ... 47#p156647
As stated since hmail uses openssl it appears it should be pretty easy to modify hmail so as to allow an optional setting (likely an INI to start with) which would let the admin specify ciphers allowed or not allowed from the table of available ciphers in the version of openssl used. If one could specify ECC for STARTTLS or SSL wouldn't that satisfy this request?
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

ehych
New user
New user
Posts: 7
Joined: 2013-06-03 17:05

Re: Perfect Forward Secrecy Support Poll

Post by ehych » 2014-06-14 19:50

Hello, can anyone share the cipher they use for PFS? I've been trying a lot and can't get it to work.

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Perfect Forward Secrecy Support Poll

Post by prisma » 2014-08-07 17:14

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+RC4 EDH+aRSA EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS

where RC4 is the fall back. RC4 is theoretically cracked. But AES CBC is vulnerable for BEAST...

twaldorf
New user
New user
Posts: 22
Joined: 2009-07-13 11:29

Re: Perfect Forward Secrecy Support Poll

Post by twaldorf » 2014-09-12 14:26

I tried this cipher (Settings -> Advanced -> Security) together with StartTLS and I got an error:

SSL_connect SYSCALL returned=5 errno=0 state=unknown state

when I test it with:

https://de.ssl-tools.net/mailservers/

What is wrong? :?

User avatar
martin
Developer
Developer
Posts: 6835
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Perfect Forward Secrecy Support Poll

Post by martin » 2014-09-14 16:37

hMailServer 5.5 does not support PFS. So if you attempt to use it, the handshake will fail.

User avatar
martin
Developer
Developer
Posts: 6835
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Perfect Forward Secrecy Support Poll

Post by martin » 2014-10-10 12:53

Implemented in 5.6.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

Post Reply