disabling certain ciphers
Will Yardley
dovecot.org at veggiechinese.net
Tue Dec 2 00:43:02 UTC 2014
Can you use both ssl_protocols *and* ssl_cipher_list in the same config
(in a way that's sane)?
ssl_protocols (>= 2.1)
and
ssl_cipher_list
co-exist, or are they mutually exclusive?
I have a Dovecot 2.2.13 system, and I tried setting:
I also tried things like
ssl_cipher_list = HIGH
or
ssl_cipher_list = HIGH:!MEDIUM:!LOW
however, doing this seems to make v3 still work unless I explicitly do
!SSLv3 in ssl_cipher_list in addition to disabling it in $ssl_protocols.
This is different from Apache, which has similar parameters, but where
disabling the protocol takes precedence.
If I just do:
ssl_protocols = !SSLv2 !SSLv3
I still get some ciphers that show up as "weak", e.g.,
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
[....]
| TLS_RSA_WITH_DES_CBC_SHA - weak
Is there a way to exclude these ciphers, while still keeping my config
easy to parse and avoiding duplicative or deprecated configs?
The behavior is also pretty strange; if I have something like one of the
following, with or without $ssl_protocols set to exclude SSLv2 and SSLv3:
ssl_cipher_list = HIGH:!MEDIUM:!LOW:!SSLv3
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:!MEDIUM
TLS v1.0 and v1.1 get disabled as well.
I also can't seem to explicitly enable TLS 1.0 or 1.1 in
$ssl_cipher_list.
w
More information about the dovecot
mailing list