FREAK/Logjam, and SSL protocols to use
ronleach at tesco.net
Tue May 26 14:37:39 UTC 2015
List, good afternoon,
I was reading up on a TLS Diffie Hellman protocol weakness described here
which is similar to the earlier FREAK attack, and can result in
downgrade of cipher suites.
Part of the solution workaround that the researchers describe for
includes altering DH parameters length to 2048, and re-specifying the
allowable cipher suites - they give their suggestion.
But the researchers make no comment on the allowable protocols that,
in Dovecot, are controlled in 10-ssl.conf in the stanza headed
# SSL protocols to use
#ssl_protocols = !SSLv2
I couldn't find any advice on up-to-date SSL/TLS protocol settings in
the Dovecot wiki, either (I looked in
At the moment our installation is using only the default settings for
allowed protocols; I'm not sure what those defaults might be, but our
10-ssl.conf may only be disallowing SSLv2, if the 'example' entry is
the default. We're running 2.2.15, and are due to upgrade to 2.2.18
shortly; quite possibly the defaults differ in a more recent release.
What SSL protocols do folk on the list recommend should be allowed in
Dovecot these days? (Actually, I mean which protocols really 'must'
More information about the dovecot