[Dovecot] ssl_cipher_list
Robert Allerstorfer
roal at anet.at
Sun Jul 24 20:45:53 EEST 2005
On Sun, 24 Jul 2005, 17:06 GMT+03 Timo Sirainen wrote:
> On Sun, 2005-07-24 at 11:37 +0200, Robert Allerstorfer wrote:
>> I have noticed the 'ssl_cipher_list' directive in the 1.0-test
>> snapshots which is not in 0.99. It's default value seems to be
>> "all:!low". However, this would not be compatible with openssl's
>> cipher listing format. Thus, I would vote to change it's format to be
>> openssl compatible. To be compatible, it has to be changed to
>> "ALL:!LOW" (just upercased in this case).
> I noticed the Debian bugreport about this. ALL:!LOW is actually the
> default internally, all:!low is shown only in dovecot-example.conf.
> I've changed that already.
Thank you!
>> I want dovecot to only accept high encrypted ciphers, thus it should
>> support
>>
>> ssl_cipher_list = ALL:!ADH!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
> But will it break some clients? Especially some mobile phones? Are
> there
> some recommendations of what that list should contain?
I'm pretty sure it will, but I don't care, as long Mozilla and other
popular MUAs supports the strong ciphers. Apache's mod_ssl
'SSLCipherSuite' Directive has
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" as the default - see
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite
The +HIGH:+MEDIUM:+LOW:+SSLv2:+EXP at the end only affects the ranking
of the ciphers and should ensure to have more stronger ciphers on top.
ALL:!LOW and ALL:!LOW:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP result in the
same list, but the latter returns it in a better order, to prefer
"better" ciphers if they are suitable.
best,
rob.
More information about the dovecot
mailing list