On Wed, 2013-09-11 at 15:46 -0700, Darren Pilgrim wrote:
on most widely used distributions you even have no openssl version supporting TLS 1.2 and so you lock them all out
OpenSSL 1.0.1 supports TLS 1.2. So does Windows 7/8 and MacOS X. Mozilla NSS 3.15 does 1.2.
FWIW, I was able to get it working with the following:
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_cipher_list = ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH
The above disables SSLv2, v3 and TLSv1.0, leaving only TLSv1.1 with AES/Camellia/3DES and TLSv1.2 with AES/AES-GCM.
Dovecot lacks the ability to disable TLS 1.1 or 1.2. Adding support for specifying TLSv1.1 and TLSv1.2 in ssl_protocols looks pretty straight forward: add 0x08 and 0x10 to the enum in src/lib-ssl-iostream/iostream-openssl-common.c and expand the various tests to include the appropriate strings.
Would a user-submitted patch to add TLSv1.1 and TLSv1.2 support to ssl_protocols be appreciated?
Frankly I think your idea is crazy :) But if your in a closed network and known all clients, including mobiles and tablets etc will work with what you want, well, your network, your rules.
I'm always of the belief that if one person wants a feature, they might be the only vocal person, but they are never really alone, so post your patch, Timo can only either pull it in, or decline it, as for its useful for others, only time will tell, but not even god will help those who use it on a commercial network with paying customers - thats just plain professional suicide.
Cheers