disabling certain ciphers
Darren Pilgrim
list_dovecot at bluerosetech.com
Tue Dec 2 05:27:48 UTC 2014
On 12/1/2014 4:43 PM, Will Yardley wrote:
> Can you use both ssl_protocols *and* ssl_cipher_list in the same config
> (in a way that's sane)?
> Is there a way to exclude these ciphers, while still keeping my config
> easy to parse and avoiding duplicative or deprecated configs?
Yes to both. If you need to support older clients:
ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_parameters_regenerate = 0
ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
If your userbase is limited to current clients and OSes, you can take it
a bit further:
ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH
ssl_dh_parameters_length = 4096
ssl_parameters_regenerate = 0
ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
This drops 3DES support and makes forward secrecy mandatory.
More information about the dovecot
mailing list