Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I explicitly do !SSLv3 in ssl_cipher_list in addition to disabling it in $ssl_protocols. This is different from Apache, which has similar parameters, but where disabling the protocol takes precedence. If I just do: ssl_protocols = !SSLv2 !SSLv3 I still get some ciphers that show up as "weak", e.g., | SSLv3: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak [....] | TLS_RSA_WITH_DES_CBC_SHA - weak Is there a way to exclude these ciphers, while still keeping my config easy to parse and avoiding duplicative or deprecated configs? The behavior is also pretty strange; if I have something like one of the following, with or without $ssl_protocols set to exclude SSLv2 and SSLv3: ssl_cipher_list = HIGH:!MEDIUM:!LOW:!SSLv3 ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:!MEDIUM TLS v1.0 and v1.1 get disabled as well. I also can't seem to explicitly enable TLS 1.0 or 1.1 in $ssl_cipher_list. w
On 12/1/2014 4:43 PM, Will Yardley wrote:> Can you use both ssl_protocols *and* ssl_cipher_list in the same config > (in a way that's sane)?> Is there a way to exclude these ciphers, while still keeping my config > easy to parse and avoiding duplicative or deprecated configs?Yes to both. If you need to support older clients: ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 If your userbase is limited to current clients and OSes, you can take it a bit further: ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH ssl_dh_parameters_length = 4096 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 This drops 3DES support and makes forward secrecy mandatory.
On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote:> On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > > Yes to both. If you need to support older clients: > > ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_parameters_regenerate = 0 > ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3 results in TLS1.2 being the only one active, but if it is defined, 1.0, 1.1, and 1.2 are all active? w