What ciphers set to use

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Greta
Senior user
Senior user
Posts: 330
Joined: 2007-01-02 13:23
Contact:

What ciphers set to use

Post by Greta » 2022-07-01 10:27

What is the best cipher set to use. After reading thread https://www.hmailserver.com/forum/viewtopic.php?t=32902 I tested my settings as well. But no matter what cipher set I use I keep getting the message "Not enough secure parameters for Diffie-Hellman key exchange. DH-2048"

User avatar
johang
Senior user
Senior user
Posts: 793
Joined: 2008-09-01 09:20

Re: What ciphers set to use

Post by johang » 2022-07-03 10:07

Greta wrote:
2022-07-01 10:27
What is the best cipher set to use. After reading thread https://www.hmailserver.com/forum/viewtopic.php?t=32902 I tested my settings as well. But no matter what cipher set I use I keep getting the message "Not enough secure parameters for Diffie-Hellman key exchange. DH-2048"
what OS are you using ? ( it is a factor if you are on to "low" version .. that is if i understood correctly from using google-fu, below the versions win10 and/or server2016)
have you played with registry settings ( possibly hard setting only 1024 bits.. read some goofy post on internet making people do that ... )

and of course.. do the remote computer from which you are trying to access the hmailserver support Diffie-Hellman 2048 bits ?




Myself im on windows server 2019, hmailserver 5.6.8-B2574

If i go to: https://www.immuniweb.com/ssl/ and put in for example: [myserver.mydomain.com:587] ( because i have STARTSSL required on that port )

I among other things get:
DIFFIE-HELLMAN PARAMETER SIZE
Diffie-Hellman parameter size: 2048 bits Good configuration

regarding wich cipher set is best to use, i have an really uninteresting answer: use the cipher set that best matches your requirements of your system, clients and remote servers(?).... ( what an moron vanilla answer... I KNOW ). You can always remove unwated ciphers ( for instance non-compliant with NIST OR other guidelines ) and see if that breaks your (old) clients possibilites to make secure connections ( possibly locking them out).


Myself i have a copule of old apple phones i play with, hence i am reluctant to do a full sweep ( removing all NIST non-compliant cipher guidelines ).. however I only connect with these unsecure devices from secure inside source and are not at all worried about someone being able to capture and crack that traffic ..
lets cheat darwin out of his legacy, find a cure for cancer...

Greta
Senior user
Senior user
Posts: 330
Joined: 2007-01-02 13:23
Contact:

Re: What ciphers set to use

Post by Greta » 2022-07-04 18:55

Hi,

Thank you for your response. I solved it by removing all DHE ciphers which contain the value 128.

User avatar
SorenR
Senior user
Senior user
Posts: 5435
Joined: 2006-08-21 15:38
Location: Denmark

Re: What ciphers set to use

Post by SorenR » 2022-07-04 21:23

I got an A rating...

Code: Select all

TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
TLS v1.2 and TLS v1.3 only.

Yes, had to set STARTTLS required on port 25 for the test ... :twisted:
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
johang
Senior user
Senior user
Posts: 793
Joined: 2008-09-01 09:20

Re: What ciphers set to use

Post by johang » 2022-07-05 11:03

SorenR wrote:
2022-07-04 21:23
I got an A rating...
I have an A rating :wink: (fully PCI DSS, but not fully HIPAA or NIST compliance)

TLS 1.1 , TLS 1.2 , TLS 1.3

Code: Select all

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
other recommended reading:
https://www.hmailserver.com/forum/viewt ... =7&t=32902
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
SorenR
Senior user
Senior user
Posts: 5435
Joined: 2006-08-21 15:38
Location: Denmark

Re: What ciphers set to use

Post by SorenR » 2022-07-05 14:43

johang wrote:
2022-07-05 11:03
SorenR wrote:
2022-07-04 21:23
I got an A rating...
I have an A rating :wink: (fully PCI DSS, but not fully HIPAA or NIST compliance)

TLS 1.1 , TLS 1.2 , TLS 1.3

Code: Select all

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
other recommended reading:
https://www.hmailserver.com/forum/viewt ... =7&t=32902
NIST compliance require code changes in hMailServer :roll:

I like short and simple ;-)

I also have the ChaCha20 Poly1305 mod from B2574.45 8)

Code: Select all

TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

Post Reply