[Dovecot] How to disable SSL and TLSv1.1?
Reindl Harald
h.reindl at thelounge.net
Thu Sep 12 01:52:32 EEST 2013
Am 12.09.2013 00:46, schrieb Darren Pilgrim:
> On 9/9/2013 4:09 PM, Reindl Harald wrote:
>> Am 09.09.2013 22:56, schrieb Darren Pilgrim:
>>> I'm running Dovecot 2.2.5 and want to make it refuse SSLv2, SSLv3 and TLSv1.0. Clients will opportunistically use
>>> TLS 1.1 and 1.2, but now I want require they do so. Is it enough to set
>>>
>>> ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5
>>> or are there additional settings I need to specify?
>>
>> and what clients do you imagine to connect?
>
> Thunderbird and a Webmail app
in that special case you may be lucky
>> on most widely used distributions you even have no openssl
>> version supporting TLS 1.2 and so you lock them all out
>
> OpenSSL 1.0.1 supports TLS 1.2
and that is why i said most widely used does not
RHEL5: openssl-0.9.8e
RHEL6: openssl-1.0.0
Fedora 17: openssl-1.0.0k
Fedora 18: openssl-1.0.1e
if you have only a few users where you know OS and mail-client
this is doable, for any server with customers it is a no-go
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130912/60189573/attachment-0001.bin>
More information about the dovecot
mailing list