On 04.03.2015 18:19, Emmanuel Dreyfus wrote:
On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote:
Hello, about the CVE-2015-0204, in apache the following config seems to disable this vulnerability: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
Is something similar possible with dovecot ? I use this with some succes:
# dovecot has built-in protection against BEAST, therefore no need # to remove -SSLv2-SHA1:-TLSv10-SHA1 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
I only had a single report of an old client being locked out. Oddly it was a recent Windows Phone that was perfectly capable of using latest protocol and ciphers.
While there, I will self advertise my own paper on TLS hardening: http://arxiv.org/abs/1407.2168
Thank you for the answer. The "!EXPORT" part is included in "ECDH@STRENGTH:DH@STRENGTH:HIGH", or it must be added as well ?
-- Best regards, Adrian Minta