disabling certain ciphers

Reindl Harald h.reindl at thelounge.net
Tue Dec 2 16:38:38 UTC 2014



Am 02.12.2014 um 17:33 schrieb Darren Pilgrim:
> On 12/2/2014 1:32 AM, Reindl Harald wrote:
>>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>>>> ssl_dh_parameters_length = 2048
>>>> ssl_parameters_regenerate = 0
>>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>>>
>>> But why does ssl_protocols behave differently depending on if
>>> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>>>
>>> It seems that if ssl_cipher_list is defined,
>>> ssl_protocols = !SSLv2 !SSLv3
>>>
>>> results in TLS1.2 being the only one active, but if it is defined, 1.0,
>>> 1.1, and 1.2 are all active?
>>
>> ssl_protocols = !SSLv2 !SSLv3
>>
>> and you are fine, aynthing else is nonsense because when TLSv1.3 will be
>> released you go to each and every server to add it to the config? likely
>> not!
>
> Configuration management. :)

mis-management is the right word for disable future procotols

> Also, no, you need to do more than just disable SSLv3.  You need to
> disable several cipher groups allowed in TLSv1.0 and TLSv1.1, bump up
> the DH parameter size, and, if your client base allows it, only allow
> ciphers with forward secrecy

i *only* referred to "ssl_protocols" and not to ciphers

that below are sane settings supporting older Outlooks only talking 
RC4/DES but prefer a specific order for other clients

ssl_protocols = !SSLv2 !SSLv3
ssl_prefer_server_ciphers = yes
ssl_options = no_compression
ssl_cipher_list = 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141202/13a867b4/attachment.sig>


More information about the dovecot mailing list