[Dovecot] ssl_cipher_list
Timo Sirainen
tss at iki.fi
Sun Jul 24 17:06:28 EEST 2005
On Sun, 2005-07-24 at 11:37 +0200, Robert Allerstorfer wrote:
> I have noticed the 'ssl_cipher_list' directive in the 1.0-test
> snapshots which is not in 0.99. It's default value seems to be
> "all:!low". However, this would not be compatible with openssl's
> cipher listing format. Thus, I would vote to change it's format to be
> openssl compatible. To be compatible, it has to be changed to
> "ALL:!LOW" (just upercased in this case). IMO, this would be helpful
> because executing
I noticed the Debian bugreport about this. ALL:!LOW is actually the
default internally, all:!low is shown only in dovecot-example.conf. I've
changed that already.
> I want dovecot to only accept high encrypted ciphers, thus it should
> support
>
> ssl_cipher_list = ALL:!ADH!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
But will it break some clients? Especially some mobile phones? Are there
some recommendations of what that list should contain?
> This would really make "Dovecot (...) written with security primarily
> in mind"
Well, it's just the SSL part and only thing it does is to prevent
correctly behaving but lowly-secured clients from connecting. Perhaps
the default should be different depending on if disable_plaintext_auth
setting. At least there's no reason to prevent lowly secured connections
from working if the "fix" is to disable SSL entirely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20050724/5f8c239a/attachment-0001.bin>
More information about the dovecot
mailing list