When enabling "Only Strong Ciphers with Perfect Foreward Secrecy" or using the custom ciphers "EECDH:EDH:ECDH:DH:HIGH:MEDIUM:!LOW:!SSLv2:+TLSv1:+TLSv1.2:+TLSv1.1:!MD5:!DSS:!3DES:!EXP:!SRP:!PSK:!SEED:!aNULL:!eNULL:!NULL:@STRENGTH" webmin does not use PFS, only AES256-SHA.
openssl ciphers lists: openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
openssl s_client -connect localhost:10000 -tls1_2 SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA
Tested on CentOS 6.5 and CentOS 7.0, Webmin Version 1.710
Comments
Submitted by JamieCameron on Thu, 10/23/2014 - 15:28 Comment #1
A few people have reported this, but the cause isn't clear yet. Webmin just passes the list of ciphers un-changed down to the openssl library, which is then responsible for interpreting it ... so if openssl is still not supporting PFS, there isn't much we can do.
Submitted by verex on Thu, 10/23/2014 - 15:45 Pro Licensee Comment #2
openssl is supporting PFS perfectly well, Perfect Foreward Secrecy and the ECDHE ciphers are working in Postfix and Apache exactly the way as openssl ciphers -v shows the PFS ciphers.
see connection examples below:
openssl s_client -connect localhost:443
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported
openssl s_client -connect localhost:25 -starttls smtp
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported
openssl s_client -connect localhost:10000
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported
openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
Submitted by JamieCameron on Fri, 10/24/2014 - 04:43 Comment #3
No, I meant the openssl server libraries that Webmin uses - not the client command.