AnsweredAssumed Answered

Testing mail servers TLS for PFS

Question asked by Charles Peters II on Nov 11, 2013

I recently learned about your site while viewing some of the IETF proceedings and someone mentioned checking the security of various jabber servers with the IM Observatory


Soon I will be upgrading my VPS, and openssl 1.0.1e will be installed and then some new certificates.  This time I will also be using CAcert and I am planning to add DNSSEC and DANE.  Once I figure out how to generate the certificates to properly support PFS, I want to verify it.


I would like to test if self signed certs, as well as others, TLS certificates meet the PFS criteria.  It appears the Qualys site does not yet have such a mail server test.  What other tools will show if the cert meets the PFS requirements, and what do we look for?


Here are few examples which show the mail server TLS cipher as DHE-RSA-AES256-SHA:

swaks -a -tls -q HELO -s -au cp -ap '<>'

openssl s_client -starttls smtp -crlf -connect


Unfortantly sslscan doesn't support TLS1.1 or TLS1.2 yet, although a patch is available.

$ sslscan --starttls


Results attached.