Restricting SSL/TLS protocol versions on Dovecot 2.2.22
Hello,
I have a question regarding SSL/TLS settings for Dovecot version 2.2.22.
In: 10-ssl.conf there are two parameters:
ssl_protocols
ssl_cipher_listssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”.
If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in ssl_cipher_list do the same thing ?
So is:
ssl_cipher_list = !SSLv3…equivalent to:
ssl_protocols = !SSLv3
ssl_cipher_list = !SSLv3Thanks,
- J
Am 29.07.2018 um 21:02 schrieb J Doe:
Hello,
I have a question regarding SSL/TLS settings for Dovecot version 2.2.22.
In: 10-ssl.conf there are two parameters:
ssl_protocols ssl_cipher_listssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”.
If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in ssl_cipher_list do the same thing ?
So is:
ssl_cipher_list = !SSLv3…equivalent to:
ssl_protocols = !SSLv3 ssl_cipher_list = !SSLv3
No. SSLv3 is not a cipher but a protocol.
"ssl_protocols = !SSLv2 !SSLv3" is what you want to specify.
For ciphers you could define by ssl_cipher_list see "openssl ciphers -v"
Thanks,
- J
Alexander
On Jul 29, 2018, at 6:02 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 29.07.2018 um 21:02 schrieb J Doe:
Hello, I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. In: 10-ssl.conf there are two parameters: ssl_protocols ssl_cipher_list ssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”. If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in ssl_cipher_list do the same thing ? So is: ssl_cipher_list = !SSLv3 …equivalent to: ssl_protocols = !SSLv3 ssl_cipher_list = !SSLv3
No. SSLv3 is not a cipher but a protocol.
"ssl_protocols = !SSLv2 !SSLv3" is what you want to specify.
For ciphers you could define by ssl_cipher_list see "openssl ciphers -v”
Hi Alexander and list,
I think there may be a discrepancy in the documentation.
On the wiki on the “Dovecot SSL Configuration” page [1] under the section “SSL security settings” it says:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLIn the conf.d/10-ssl.conf it states:
# SSL protocols to use
#ssl_protocols = !SSLv2
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLMy new question is:
1. Are the SSL/TLS protocols to use and/or exclude specified in “ssl_protocols”, “ssl_cipher_list” or both ?Thanks,
- J
Sources: [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
On 30 July 2018 at 21:42 J Doe general@nativemethods.com wrote:
On Jul 29, 2018, at 6:02 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 29.07.2018 um 21:02 schrieb J Doe:
Hello, I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. In: 10-ssl.conf there are two parameters: ssl_protocols ssl_cipher_list ssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”. If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in ssl_cipher_list do the same thing ? So is: ssl_cipher_list = !SSLv3 …equivalent to: ssl_protocols = !SSLv3 ssl_cipher_list = !SSLv3
No. SSLv3 is not a cipher but a protocol.
"ssl_protocols = !SSLv2 !SSLv3" is what you want to specify.
For ciphers you could define by ssl_cipher_list see "openssl ciphers -v”
Hi Alexander and list,
I think there may be a discrepancy in the documentation.
On the wiki on the “Dovecot SSL Configuration” page [1] under the section “SSL security settings” it says:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLIn the conf.d/10-ssl.conf it states:
# SSL protocols to use #ssl_protocols = !SSLv2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLMy new question is:
1. Are the SSL/TLS protocols to use and/or exclude specified in “ssl_protocols”, “ssl_cipher_list” or both ?
You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing.
Aki
Thanks,
- J
Sources: [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
On 30.07.2018 22:29, Aki Tuomi wrote:
On 30 July 2018 at 21:42 J Doe general@nativemethods.com wrote:
On Jul 29, 2018, at 6:02 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 29.07.2018 um 21:02 schrieb J Doe:
Hello, I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. In: 10-ssl.conf there are two parameters: ssl_protocols ssl_cipher_list ssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”. If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in ssl_cipher_list do the same thing ? So is: ssl_cipher_list = !SSLv3 …equivalent to: ssl_protocols = !SSLv3 ssl_cipher_list = !SSLv3
No. SSLv3 is not a cipher but a protocol.
"ssl_protocols = !SSLv2 !SSLv3" is what you want to specify.
For ciphers you could define by ssl_cipher_list see "openssl ciphers -v” Hi Alexander and list,
I think there may be a discrepancy in the documentation.
On the wiki on the “Dovecot SSL Configuration” page [1] under the section “SSL security settings” it says:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLIn the conf.d/10-ssl.conf it states:
# SSL protocols to use #ssl_protocols = !SSLv2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLMy new question is:
1. Are the SSL/TLS protocols to use and/or exclude specified in “ssl_protocols”, “ssl_cipher_list” or both ?You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing.
Aki
I personally used https://www.ssllabs.com/ssltest/analyze.html when I set up my server to get green across the board for the web server and then used the same ciphers for Dovecot and confirmed the result with https://github.com/drwetter/testssl.sh
ssl_min_protocol = TLSv1 # New in Dovecot 2.3 iirc. ssl_cipher_list = "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED" ssl_prefer_server_ciphers = yes
Good luck, Reio
participants (4)
-
Aki Tuomi
-
Alexander Dalloz
-
J Doe
-
Reio Remma