disabling certain ciphers
Darren Pilgrim
list_dovecot at bluerosetech.com
Tue Dec 2 17:36:05 UTC 2014
On 12/2/2014 8:38 AM, Reindl Harald wrote:
>
>
> Am 02.12.2014 um 17:33 schrieb Darren Pilgrim:
>> On 12/2/2014 1:32 AM, Reindl Harald wrote:
>>>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>>>>> ssl_dh_parameters_length = 2048
>>>>> ssl_parameters_regenerate = 0
>>>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>>>>
>>>> But why does ssl_protocols behave differently depending on if
>>>> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>>>>
>>>> It seems that if ssl_cipher_list is defined,
>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>
>>>> results in TLS1.2 being the only one active, but if it is defined, 1.0,
>>>> 1.1, and 1.2 are all active?
>>>
>>> ssl_protocols = !SSLv2 !SSLv3
>>>
>>> and you are fine, aynthing else is nonsense because when TLSv1.3 will be
>>> released you go to each and every server to add it to the config? likely
>>> not!
>>
>> Configuration management. :)
>
> mis-management is the right word for disable future procotols
It wouldn't. As you've pointed out, you don't have to explicitly enable
TLSv1.0+. That's because they're (now) enabled by default. There was a
period of time when TLSv1.1 and TLSv1.2 weren't enabled by default.
There are also some softwares that don't do the SSL setup correctly
without explicit protocol lists. It's easier to be uniformly explicit
everywhere. I'd rather be needlessly explicit than have a security
failure due to incorrectly assuming an implicit behaviour.
>> Also, no, you need to do more than just disable SSLv3. You need to
>> disable several cipher groups allowed in TLSv1.0 and TLSv1.1, bump up
>> the DH parameter size, and, if your client base allows it, only allow
>> ciphers with forward secrecy
>
> i *only* referred to "ssl_protocols" and not to ciphers
Sorry, that wasn't obvious to me.
> that below are sane settings supporting older Outlooks only talking
> RC4/DES but prefer a specific order for other clients
>
> ssl_protocols = !SSLv2 !SSLv3
> ssl_prefer_server_ciphers = yes
> ssl_options = no_compression
> ssl_cipher_list =
[really long cipherspec snipped]
A student of Mozilla's security policies, I see. ;)
You really only need TLSv1 3DES without PFS for Outlook on Windows
XP/2003. Outlook on later Windows will do TLSv1 DHE-AES. Older Android
devices will need TLSv1 AES128 without PFS. The minimum would therefore be:
HIGH+kEECDH:HIGH+kEDH:-3DES:AES128-SHA:DES-CBC3-SHA:!aNULL:@STRENGTH
Supporting other older ciphers may support ancient Android, IOS, MacOS
and Thunderbird clients, but IME AES128-SHA and DES-CBC3-SHA are all you
need for a realistic userbase of old software.
More information about the dovecot
mailing list