## What ciphers set to use

### What ciphers set to use

What is the best cipher set to use. After reading thread https://www.hmailserver.com/forum/viewtopic.php?t=32902 I tested my settings as well. But no matter what cipher set I use I keep getting the message "Not enough secure parameters for Diffie-Hellman key exchange. DH-2048"

### Re: What ciphers set to use

what OS are you using ? ( it is a factor if you are on to "low" version .. that is if i understood correctly from using google-fu, below the versions win10 and/or server2016)Greta wrote: ↑2022-07-01 10:27What is the best cipher set to use. After reading thread https://www.hmailserver.com/forum/viewtopic.php?t=32902 I tested my settings as well. But no matter what cipher set I use I keep getting the message "Not enough secure parameters for Diffie-Hellman key exchange. DH-2048"

have you played with registry settings ( possibly hard setting only 1024 bits.. read some goofy post on internet making people do that ... )

and of course.. do the remote computer from which you are trying to access the hmailserver support Diffie-Hellman 2048 bits ?

Myself im on windows server 2019, hmailserver 5.6.8-B2574

If i go to: https://www.immuniweb.com/ssl/ and put in for example: [myserver.mydomain.com:587] ( because i have STARTSSL required on that port )

I among other things get:

DIFFIE-HELLMAN PARAMETER SIZE

Diffie-Hellman parameter size: 2048 bits

**Good configuration**

regarding wich cipher set is best to use, i have an really uninteresting answer: use the cipher set that best matches your requirements of your system, clients and remote servers(?).... ( what an moron vanilla answer... I KNOW ). You can always remove unwated ciphers ( for instance non-compliant with NIST OR other guidelines ) and see if that breaks your (old) clients possibilites to make secure connections ( possibly locking them out).

Myself i have a copule of old apple phones i play with, hence i am reluctant to do a full sweep ( removing all NIST non-compliant cipher guidelines ).. however I only connect with these unsecure devices from secure inside source and are not at all worried about someone being able to capture and crack that traffic ..

lets cheat darwin out of his legacy, find a cure for cancer...

### Re: What ciphers set to use

Hi,

Thank you for your response. I solved it by removing all DHE ciphers which contain the value 128.

Thank you for your response. I solved it by removing all DHE ciphers which contain the value 128.

### Re: What ciphers set to use

I got an A rating...

TLS v1.2 and TLS v1.3 only.

Yes, had to set STARTTLS required on port 25 for the test ...

Code: Select all

`TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;`

Yes, had to set STARTTLS required on port 25 for the test ...

SørenR.

**There are two types of people in this world:**

1) Those who can extrapolate from incomplete data1) Those who can extrapolate from incomplete data

### Re: What ciphers set to use

I have an A rating (fully PCI DSS, but not fully HIPAA or NIST compliance)

TLS 1.1 , TLS 1.2 , TLS 1.3

Code: Select all

`ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;`

https://www.hmailserver.com/forum/viewt ... =7&t=32902

lets cheat darwin out of his legacy, find a cure for cancer...

### Re: What ciphers set to use

NIST compliance require code changes in hMailServerjohang wrote: ↑2022-07-05 11:03I have an A rating (fully PCI DSS, but not fully HIPAA or NIST compliance)

TLS 1.1 , TLS 1.2 , TLS 1.3other recommended reading:Code: Select all

`ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;`

https://www.hmailserver.com/forum/viewt ... =7&t=32902

I like short and simple

I also have the ChaCha20 Poly1305 mod from B2574.45

Code: Select all

`TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305`

SørenR.

**There are two types of people in this world:**

1) Those who can extrapolate from incomplete data1) Those who can extrapolate from incomplete data