'ssl_cipher_list' setting

Yoshito Takeuchi kinchan at kinchan.com
Tue Jan 6 19:10:13 UTC 2015


Hi Reindl Harald

Thank you for your reply.
I got it.

I changed my /usr/local/etc/dovecot/local.conf below.

ssl = yes
ssl_cert = </usr/local/etc/dovecot/server.pem
ssl_key = </usr/local/etc/dovecot/server.key
ssl_ca = </usr/local/etc/dovecot/ca.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4

It's work fine.

Thank you again

Yoshi


2015-01-06 5:59 GMT+09:00 Reindl Harald <h.reindl at thelounge.net>:
>
> Am 05.01.2015 um 21:53 schrieb Yoshito Takeuchi:
>>
>> I used
>>
>> FreeBSD 10.1
>> Dovecot 2.2.15
>>
>> I want pop3s, so I made
>>
>> /usr/local/etc/dovecot/local.conf
>>
>> ssl = yes
>> ssl_cert = </usr/local/etc/dovecot/server.pem
>> ssl_key = </usr/local/etc/dovecot/server.key
>> ssl_ca = </usr/local/etc/dovecot/ca.pem
>> ssl_protocols = !SSLv2 !SSLv3
>> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4
>>
>> It's work fine.
>> But, change
>>
>> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4
>>
>> ( SSLV3 -> SSLv3 )
>>
>> I did trouble
>>
>> /var/log/maillog
>>
>> Jan  6 05:41:53 example dovecot: pop3-login: Disconnected (no auth
>> attempts in 0
>> secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS
>> handshaking, session=<5e9
>> zuO0LVwB+PO8D>
>>
>> Is this bug ? or I did miss setting?
>
>
> !SSLV3 was wrong and not recognized
> !SSLv3 is recognized but bullshit since you want to disable SSLv3 but not
> all ciphers which are still valid for newer TLS versions
>
> you do that already correctly with "ssl_protocols"
>


More information about the dovecot mailing list