Correct settings for ssl protocols" and "ssl ciphers"
Arkadiusz Miśkiewicz
arekm at maven.pl
Tue Jan 17 13:07:14 UTC 2017
On Tuesday 17 of January 2017, Jerry wrote:
> I have the following two settings in my "10-ssl.conf" file
>
> # SSL protocols to use
> ssl_protocols = !SSLv2
>
> # SSL ciphers to use
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
> I have seen different configurations while Googling. I am wondering
> what the consensus is for the best settings for these two items. What
> do the developers recommend?
Likely the same or similar to what browsers recommend.
See
https://wiki.mozilla.org/Security/Server_Side_TLS
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
Currently using:
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES1
28-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:EC
DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-
GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-
SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_protocols = !SSLv2 !SSLv3
>
> Thanks!
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
More information about the dovecot
mailing list