[Dovecot] How to disable SSL and TLSv1.1?
Noel Butler
noel.butler at ausics.net
Thu Sep 12 09:54:02 EEST 2013
On Wed, 2013-09-11 at 15:46 -0700, Darren Pilgrim wrote:
> > on most widely used distributions you even have no openssl
> > version supporting TLS 1.2 and so you lock them all out
>
> OpenSSL 1.0.1 supports TLS 1.2. So does Windows 7/8 and MacOS X.
> Mozilla NSS 3.15 does 1.2.
>
> FWIW, I was able to get it working with the following:
>
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
> ssl_cipher_list =
> ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH
>
> The above disables SSLv2, v3 and TLSv1.0, leaving only TLSv1.1 with
> AES/Camellia/3DES and TLSv1.2 with AES/AES-GCM.
>
> Dovecot lacks the ability to disable TLS 1.1 or 1.2. Adding support for
> specifying TLSv1.1 and TLSv1.2 in ssl_protocols looks pretty straight
> forward: add 0x08 and 0x10 to the enum in
> src/lib-ssl-iostream/iostream-openssl-common.c and expand the various
> tests to include the appropriate strings.
>
> Would a user-submitted patch to add TLSv1.1 and TLSv1.2 support to
> ssl_protocols be appreciated?
Frankly I think your idea is crazy :)
But if your in a closed network and known all clients, including mobiles
and tablets etc will work with what you want, well, your network, your
rules.
I'm always of the belief that if one person wants a feature, they might
be the only vocal person, but they are never really alone, so post your
patch, Timo can only either pull it in, or decline it, as for its useful
for others, only time will tell, but not even god will help those who
use it on a commercial network with paying customers - thats just plain
professional suicide.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130912/09531df2/attachment.bin>
More information about the dovecot
mailing list