disabling certain ciphers

Reindl Harald h.reindl at thelounge.net
Tue Dec 2 09:32:01 UTC 2014


Am 02.12.2014 um 06:44 schrieb Will Yardley:
> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote:
>> On 12/1/2014 4:43 PM, Will Yardley wrote:
>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config
>>> (in a way that's sane)?
>>
>>> Is there a way to exclude these ciphers, while still keeping my config
>>> easy to parse and avoiding duplicative or deprecated configs?
>>
>> Yes to both.  If you need to support older clients:
>>
>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>> ssl_dh_parameters_length = 2048
>> ssl_parameters_regenerate = 0
>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>
> But why does ssl_protocols behave differently depending on if
> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>
> It seems that if ssl_cipher_list is defined,
> ssl_protocols = !SSLv2 !SSLv3
>
> results in TLS1.2 being the only one active, but if it is defined, 1.0,
> 1.1, and 1.2 are all active?

ssl_protocols = !SSLv2 !SSLv3

and you are fine, aynthing else is nonsense because when TLSv1.3 will be 
released you go to each and every server to add it to the config? likely 
not!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141202/c94573a4/attachment.sig>


More information about the dovecot mailing list