FREAK/Logjam, and SSL protocols to use

Emmanuel Dreyfus manu at netbsd.org
Tue May 26 15:18:58 UTC 2015


On Tue, May 26, 2015 at 03:37:39PM +0100, Ron Leach wrote:
> What SSL protocols do folk on the list recommend should be allowed in
> Dovecot these days?  (Actually, I mean which protocols really 'must' be
> disallowed?)

I use this:
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
ssl_dh_parameters_length = 4096

Kissing SSLv3 good bye did not cause harm to clients. Next to be phased 
out is 3DES which accounts for 0.25% o the connexions according to the 
logs. I suspect the offending clients could do better.

-- 
Emmanuel Dreyfus
manu at netbsd.org


More information about the dovecot mailing list