[Dovecot] How to disable SSL and TLSv1.1?

Darren Pilgrim list_dovecot at bluerosetech.com
Thu Sep 12 01:46:38 EEST 2013


On 9/9/2013 4:09 PM, Reindl Harald wrote:
> Am 09.09.2013 22:56, schrieb Darren Pilgrim:
>> I'm running Dovecot 2.2.5 and want to make it refuse SSLv2, SSLv3 and TLSv1.0.  Clients will opportunistically use
>> TLS 1.1 and 1.2, but now I want require they do so.  Is it enough to set
>>
>> ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5
>> or are there additional settings I need to specify?
>
> and what clients do you imagine to connect?

Thunderbird and a Webmail app.

> on most widely used distributions you even have no openssl
> version supporting TLS 1.2 and so you lock them all out

OpenSSL 1.0.1 supports TLS 1.2.  So does Windows 7/8 and MacOS X. 
Mozilla NSS 3.15 does 1.2.

FWIW, I was able to get it working with the following:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list = 
ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH

The above disables SSLv2, v3 and TLSv1.0, leaving only TLSv1.1 with 
AES/Camellia/3DES and TLSv1.2 with AES/AES-GCM.

Dovecot lacks the ability to disable TLS 1.1 or 1.2.  Adding support for 
specifying TLSv1.1 and TLSv1.2 in ssl_protocols looks pretty straight 
forward: add 0x08 and 0x10 to the enum in 
src/lib-ssl-iostream/iostream-openssl-common.c and expand the various 
tests to include the appropriate strings.

Would a user-submitted patch to add TLSv1.1 and TLSv1.2 support to 
ssl_protocols be appreciated?


-- 
Please reply on list.


More information about the dovecot mailing list