disabling certain ciphers

Will Yardley dovecot.org at veggiechinese.net
Tue Dec 2 17:42:50 UTC 2014


On Tue, Dec 02, 2014 at 08:34:50AM -0800, Darren Pilgrim wrote:
> On 12/1/2014 9:44 PM, Will Yardley wrote:
> > On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote:
> >> On 12/1/2014 4:43 PM, Will Yardley wrote:

> >>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config
> >>> (in a way that's sane)?
> >>
> >> Yes to both.  If you need to support older clients:

> > But why does ssl_protocols behave differently depending on if
> > $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
> >
> > It seems that if ssl_cipher_list is defined,
> > ssl_protocols = !SSLv2 !SSLv3
> >
> > results in TLS1.2 being the only one active, but if it is defined, 1.0,
> > 1.1, and 1.2 are all active?
> 
> Where are you see this behaviour?  What tool is reporting this?

I have mostly been testing with nmap, e.g.,
nmap -p 993 --script ssl-enum-ciphers [target]

This then breaks down the ciphers by protocol suite. I'll test with your
ssl_cipher_list example and see if it's reproducible.

w



More information about the dovecot mailing list