[Ach] Apache, Dovecot and other Cipherstrings aren't matching CipherString-B

Gunnar Haslinger gh.bettercrypto at hitco.at
Sat Nov 7 14:32:39 CET 2015

> On 2015-11-03 00:38, Aaron Zauner wrote:
> Nevertheless I feel the same way, AES128 should be preferred;
> and that exactly what we're doing with the latest version of
> our bettercrypto cipherstring recommendation:
> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex

On 2015-11-03 07:57 Gunnar Haslinger wrote:
> CipherString-B in Theory-Section 3.2.3 is different to
Apache-Recommendation in Section 2.1.1.

On 2015-11-03 08:04 L. Aaron Kaplan wrote:
> This sounds like a mistake then. They should be the same.

I just checked the current Dovecot Cipherstring - and it differs to
CipherString-B too (equal to Apache).

nginx differs too (equal to Apache)

lighttpd differs too (similar to Apache) - additionally there is a ":"
missing between "!aNULL!eNULL".

Cherokee seems to be copied from lighttpd, so same missing ":" between

cyrus - like dovecot / apache

postfix - like dovecot / apache

IronPort: similar to dovecot / apache but additional: "!SRP"

Finding a single Cipherstring being suitable for a variety of
OpenSSL-Versions is very hard. At least on current Debian 8.2 we
realized that CipherString-B is not sorted as it was thought to be when
current recommendation in the guide was merged. The discussion lead to:
maybe there should be separated recommendations for different

But how should we deal with this differences in the guide in the meantime?

Should Apache, Dovecot, nginx, lighttp, etc... CipherStrings be changed
to match CipherString-B?

Should CipherString-B get an Update?

More information about the Ach mailing list