[BlueOnyx:14681] Re: error (0x800CCC80): - WORKAROUND
Michael Stauber
mstauber at blueonyx.it
Mon Feb 17 18:58:31 -05 2014
Hi Dan,
> If anyone else has this problem I have found a slightly better workaround...
>
> ssl_cipher_list =
> EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
>
> ... it is no where near as good as the default config in BlueOnyx thanks
> to the *awesome* work Michael has done but it is better than the config
> we had last month before this update came out.
>
> The source for this cipherlist is the dovecot mailing list:
> http://permalink.gmane.org/gmane.mail.imap.dovecot/73479
It still uses RC4 ciphers. Among them RC4-SHA. Which I think is a bad
idea. If you can make do without RC4, then that would be a hell of a lot
better.
> Michael. Any chance of getting the certificate authority fix added to
> the setup though please? This will definitely benefit everyone...
>
> cp /etc/admserv/certs/ca-certs /etc/pki/dovecot/certs/ca.pem
> vi /etc/dovecot/conf.d/10-ssl.conf
> ssl_ca = </etc/pki/dovecot/certs/ca.pem
> service dovecot restart
At this time we're using this in /etc/dovecot/conf.d/10-ssl.conf:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
Which is generated this way:
# for smtps
echo "" > /etc/admserv/certs/blank.txt
cat /etc/admserv/certs/key /etc/admserv/certs/blank.txt
/etc/admserv/certs/certificate > /usr/share/ssl/certs/sendmail.pem
chmod 0600, "/usr/share/ssl/certs/sendmail.pem
Sauce::Service::service_run_init('sendmail', 'restart');
# for dovecot
/bin/cp /etc/admserv/certs/key /etc/pki/dovecot/private/dovecot.pem
/bin/cp /etc/admserv/certs/certificate /etc/pki/dovecot/certs/dovecot.pem
It's basically the same. Just that it uses separate file for key and
cert. Not a unified one that contains both.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list