Restricting SSL/TLS protocol versions on Dovecot 2.2.22
Aki Tuomi
aki.tuomi at dovecot.fi
Mon Jul 30 22:29:32 EEST 2018
> On 30 July 2018 at 21:42 J Doe <general at nativemethods.com> wrote:
>
>
>
> > On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote:
> >
> > Am 29.07.2018 um 21:02 schrieb J Doe:
> >> Hello,
> >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22.
> >> In: 10-ssl.conf there are two parameters:
> >> ssl_protocols
> >> ssl_cipher_list
> >> ssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”.
> >> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in
> >> ssl_cipher_list do the same thing ?
> >> So is:
> >> ssl_cipher_list = !SSLv3
> >> …equivalent to:
> >> ssl_protocols = !SSLv3
> >> ssl_cipher_list = !SSLv3
> >
> >
> > No. SSLv3 is not a cipher but a protocol.
> >
> > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify.
> >
> > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v”
>
> Hi Alexander and list,
>
> I think there may be a discrepancy in the documentation.
>
> On the wiki on the “Dovecot SSL Configuration” page [1] under the section “SSL security settings” it says:
>
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
> In the conf.d/10-ssl.conf it states:
>
> # SSL protocols to use
> #ssl_protocols = !SSLv2
>
> # SSL ciphers to use
> #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
> My new question is:
>
> 1. Are the SSL/TLS protocols to use and/or exclude specified in “ssl_protocols”, “ssl_cipher_list” or both ?
>
You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing.
Aki
> Thanks,
>
> - J
>
> Sources:
> [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
More information about the dovecot
mailing list