[Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox

Eugen Leitl eugen at leitl.org
Fri Sep 13 05:53:53 PDT 2013


----- Forwarded message from Keith <keith at fernie.eu> -----

Date: Fri, 13 Sep 2013 13:41:22 +0100
From: Keith <keith at fernie.eu>
To: Eugen Leitl <eugen at leitl.org>
Cc: freedombox-discuss at lists.alioth.debian.org
Subject: Re: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
X-Mailer: Evolution 3.4.4-3

PFS with snakeoil works.
Trying it out here https://snakeoil.cf

Using Apache 2.4 on a server running Jessie, it looks reasonable using
just the default ciphers of SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5.
Open to tweaking SSLCipherSuite.

Now trying pfs for Postfix, will this email actually use it?

On Fri, 2013-09-13 at 08:01 +0200, Eugen Leitl wrote:
> On Thu, Sep 12, 2013 at 04:44:31PM +0100, Keith wrote:
> > With a CA on each freedombox there need not be a requirement for a
> > server.
> > 
> > If my understanding of Tor is right, it is designed for anonymity, not
> > encryption, should not need a CA for this.
> 
> Can you get PFS with snakeoil (I presume these are generated during
> the installation, is there at all enough entropy at that time so
> this is safe?) certs?
> 
> Postfix and dovecot in newer versions can do PFS:
> http://www.heinlein-support.de/blog/security/perfect-forward-secrecy-pfs-fur-postfix-und-dovecot/
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list