disabling certain ciphers
Darren Pilgrim
list_dovecot at bluerosetech.com
Tue Dec 2 16:34:50 UTC 2014
On 12/1/2014 9:44 PM, Will Yardley wrote:
> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote:
>> On 12/1/2014 4:43 PM, Will Yardley wrote:
>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config
>>> (in a way that's sane)?
>>
>>> Is there a way to exclude these ciphers, while still keeping my config
>>> easy to parse and avoiding duplicative or deprecated configs?
>>
>> Yes to both. If you need to support older clients:
>>
>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>> ssl_dh_parameters_length = 2048
>> ssl_parameters_regenerate = 0
>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>
> But why does ssl_protocols behave differently depending on if
> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>
> It seems that if ssl_cipher_list is defined,
> ssl_protocols = !SSLv2 !SSLv3
>
> results in TLS1.2 being the only one active, but if it is defined, 1.0,
> 1.1, and 1.2 are all active?
Where are you see this behaviour? What tool is reporting this?
More information about the dovecot
mailing list