----- Forwarded message from Keith <keith@fernie.eu> ----- Date: Fri, 13 Sep 2013 13:41:22 +0100 From: Keith <keith@fernie.eu> To: Eugen Leitl <eugen@leitl.org> Cc: freedombox-discuss@lists.alioth.debian.org Subject: Re: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox X-Mailer: Evolution 3.4.4-3 PFS with snakeoil works. Trying it out here https://snakeoil.cf Using Apache 2.4 on a server running Jessie, it looks reasonable using just the default ciphers of SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5. Open to tweaking SSLCipherSuite. Now trying pfs for Postfix, will this email actually use it? On Fri, 2013-09-13 at 08:01 +0200, Eugen Leitl wrote:

On Thu, Sep 12, 2013 at 04:44:31PM +0100, Keith wrote:

...

With a CA on each freedombox there need not be a requirement for a server.

If my understanding of Tor is right, it is designed for anonymity, not encryption, should not need a CA for this.

Can you get PFS with snakeoil (I presume these are generated during the installation, is there at all enough entropy at that time so this is safe?) certs?

Postfix and dovecot in newer versions can do PFS: http://www.heinlein-support.de/blog/security/perfect-forward-secrecy-pfs-fur... _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5