[Dovecot] How to disable SSL and TLSv1.1?
Darren Pilgrim
list_dovecot at bluerosetech.com
Thu Sep 12 01:46:38 EEST 2013
On 9/9/2013 4:09 PM, Reindl Harald wrote:
> Am 09.09.2013 22:56, schrieb Darren Pilgrim:
>> I'm running Dovecot 2.2.5 and want to make it refuse SSLv2, SSLv3 and TLSv1.0. Clients will opportunistically use
>> TLS 1.1 and 1.2, but now I want require they do so. Is it enough to set
>>
>> ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5
>> or are there additional settings I need to specify?
>
> and what clients do you imagine to connect?
Thunderbird and a Webmail app.
> on most widely used distributions you even have no openssl
> version supporting TLS 1.2 and so you lock them all out
OpenSSL 1.0.1 supports TLS 1.2. So does Windows 7/8 and MacOS X.
Mozilla NSS 3.15 does 1.2.
FWIW, I was able to get it working with the following:
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list =
ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH
The above disables SSLv2, v3 and TLSv1.0, leaving only TLSv1.1 with
AES/Camellia/3DES and TLSv1.2 with AES/AES-GCM.
Dovecot lacks the ability to disable TLS 1.1 or 1.2. Adding support for
specifying TLSv1.1 and TLSv1.2 in ssl_protocols looks pretty straight
forward: add 0x08 and 0x10 to the enum in
src/lib-ssl-iostream/iostream-openssl-common.c and expand the various
tests to include the appropriate strings.
Would a user-submitted patch to add TLSv1.1 and TLSv1.2 support to
ssl_protocols be appreciated?
--
Please reply on list.
More information about the dovecot
mailing list