On Sun, 24 Jul 2005, 17:06 GMT+03 Timo Sirainen wrote:
On Sun, 2005-07-24 at 11:37 +0200, Robert Allerstorfer wrote:
I have noticed the 'ssl_cipher_list' directive in the 1.0-test snapshots which is not in 0.99. It's default value seems to be "all:!low". However, this would not be compatible with openssl's cipher listing format. Thus, I would vote to change it's format to be openssl compatible. To be compatible, it has to be changed to "ALL:!LOW" (just upercased in this case).
I noticed the Debian bugreport about this. ALL:!LOW is actually the default internally, all:!low is shown only in dovecot-example.conf. I've changed that already.
Thank you!
I want dovecot to only accept high encrypted ciphers, thus it should support
ssl_cipher_list = ALL:!ADH!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
But will it break some clients? Especially some mobile phones? Are there some recommendations of what that list should contain?
I'm pretty sure it will, but I don't care, as long Mozilla and other popular MUAs supports the strong ciphers. Apache's mod_ssl 'SSLCipherSuite' Directive has "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" as the default - see http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite
The +HIGH:+MEDIUM:+LOW:+SSLv2:+EXP at the end only affects the ranking of the ciphers and should ensure to have more stronger ciphers on top.
ALL:!LOW and ALL:!LOW:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP result in the same list, but the latter returns it in a better order, to prefer "better" ciphers if they are suitable.
best, rob.