Restricting SSL/TLS protocol versions on Dovecot 2.2.22

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jul 30 22:29:32 EEST 2018


> On 30 July 2018 at 21:42 J Doe <general at nativemethods.com> wrote:
> 
> 
> 
> > On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote:
> > 
> > Am 29.07.2018 um 21:02 schrieb J Doe:
> >> Hello,
> >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22.
> >> In: 10-ssl.conf there are two parameters:
> >>     ssl_protocols
> >>     ssl_cipher_list
> >> ssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list is commented with “SSL ciphers to use”.
> >> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in
> >> ssl_cipher_list do the same thing ?
> >> So is:
> >>     ssl_cipher_list = !SSLv3
> >> …equivalent to:
> >>     ssl_protocols = !SSLv3
> >>     ssl_cipher_list = !SSLv3
> > 
> > 
> > No. SSLv3 is not a cipher but a protocol.
> > 
> > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify.
> > 
> > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v”
> 
> Hi Alexander and list,
> 
> I think there may be a discrepancy in the documentation.
> 
> On the wiki on the “Dovecot SSL Configuration” page [1] under the section “SSL security settings” it says:
> 
>     ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> 
> In the conf.d/10-ssl.conf it states:
> 
>     # SSL protocols to use
>     #ssl_protocols = !SSLv2
> 
>     # SSL ciphers to use
>     #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> 
> My new question is:
> 
>     1. Are the SSL/TLS protocols to use and/or exclude specified in “ssl_protocols”, “ssl_cipher_list” or both ?
> 

You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing.

Aki

> Thanks,
> 
> - J
> 
> Sources:
>     [1]  See: https://wiki2.dovecot.org/SSL/DovecotConfiguration


More information about the dovecot mailing list