FREAK/Logjam, and SSL protocols to use
Emmanuel Dreyfus
manu at netbsd.org
Tue May 26 15:18:58 UTC 2015
On Tue, May 26, 2015 at 03:37:39PM +0100, Ron Leach wrote:
> What SSL protocols do folk on the list recommend should be allowed in
> Dovecot these days? (Actually, I mean which protocols really 'must' be
> disallowed?)
I use this:
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
ssl_dh_parameters_length = 4096
Kissing SSLv3 good bye did not cause harm to clients. Next to be phased
out is 3DES which accounts for 0.25% o the connexions according to the
logs. I suspect the offending clients could do better.
--
Emmanuel Dreyfus
manu at netbsd.org
More information about the dovecot
mailing list