'ssl_cipher_list' setting
Reindl Harald
h.reindl at thelounge.net
Mon Jan 5 20:59:14 UTC 2015
Am 05.01.2015 um 21:53 schrieb Yoshito Takeuchi:
> I used
>
> FreeBSD 10.1
> Dovecot 2.2.15
>
> I want pop3s, so I made
>
> /usr/local/etc/dovecot/local.conf
>
> ssl = yes
> ssl_cert = </usr/local/etc/dovecot/server.pem
> ssl_key = </usr/local/etc/dovecot/server.key
> ssl_ca = </usr/local/etc/dovecot/ca.pem
> ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4
>
> It's work fine.
> But, change
>
> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4
>
> ( SSLV3 -> SSLv3 )
>
> I did trouble
>
> /var/log/maillog
>
> Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth attempts in 0
> secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS
> handshaking, session=<5e9
> zuO0LVwB+PO8D>
>
> Is this bug ? or I did miss setting?
!SSLV3 was wrong and not recognized
!SSLv3 is recognized but bullshit since you want to disable SSLv3 but
not all ciphers which are still valid for newer TLS versions
you do that already correctly with "ssl_protocols"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150105/07550762/attachment.sig>
More information about the dovecot
mailing list