Opened 11 years ago
Closed 11 years ago
#507 closed defect (fixed)
Mail SSL not supporting EC Ciphers
| Reported by: | Andreas Brörken | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | 1.5.x |
| Keywords: | mail SSL EC cipher elliptic curve | Cc: | |
| uname -a: | Linux <Server-Name> 2.6.32-431.5.1.el6.x86_64 #1 SMP Wed Feb 12 00:41:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.4.5
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E |
||
Description
The mail_ssl module does not support ciphers that are using Elliptic Curves.
I'm using nginx on my server both as a mail reverse proxy and a web server which are both secured with SSL. When I run a cipher scan against that server, the EC ciphers only work for HTTP, but not for the mail module.
The output for HTTP is this:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
3 DHE-RSA-AES256-GCM-SHA384 TLSv1.2
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2
The output for IMAP SSL is only this.
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES256-GCM-SHA384 TLSv1.2
2 DHE-RSA-AES128-GCM-SHA256 TLSv1.2
Both modules have identical configuration for SSL and the used ciphersuite. I attached the config I am using at the moment.
Attachments (1)
Change History (2)
by , 11 years ago
| Attachment: | nginx_mail_bug.conf added |
|---|
comment:1 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
This is already fixed by revision 32fe021911c9 in nginx 1.5.1:
*) Bugfix: in the mail proxy server. Thanks to Filipe Da Silva.Thank you for your report.