I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry
Arkadiusz MiĆkiewicz
2017-Jan-17 13:07 UTC
Correct settings for ssl protocols" and "ssl ciphers"
On Tuesday 17 of January 2017, Jerry wrote:> I have the following two settings in my "10-ssl.conf" file > > # SSL protocols to use > ssl_protocols = !SSLv2 > > # SSL ciphers to use > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > I have seen different configurations while Googling. I am wondering > what the consensus is for the best settings for these two items. What > do the developers recommend?Likely the same or similar to what browsers recommend. See https://wiki.mozilla.org/Security/Server_Side_TLS https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 Currently using: ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES1 28-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:EC DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128- GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3- SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_protocols = !SSLv2 !SSLv3> > Thanks!-- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On Tue, Jan 17, 2017 at 07:55:15AM -0500, Jerry wrote:>I have the following two settings in my "10-ssl.conf" file > ># SSL protocols to use >ssl_protocols = !SSLv2 > ># SSL ciphers to use >ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > >I have seen different configurations while Googling. I am wondering >what the consensus is for the best settings for these two items. What >do the developers recommend?Not a developer, but I use the settings from https://cipherli.st, namely: ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 ssl_dh_parameters_length = 4096 # >Dovecot 2.2> >Thanks! > >-- >Jerry-- For more information, please reread.
Emmanuel Dreyfus
2017-Jan-17 13:28 UTC
Correct settings for ssl protocols" and "ssl ciphers"
On Tue, Jan 17, 2017 at 07:55:15AM -0500, Jerry wrote:> I have seen different configurations while Googling. I am wondering > what the consensus is for the best settings for these two items. What > do the developers recommend?According to my own reference https://arxiv.org/abs/1407.2168 I use: ssl_dh_parameters_length = 4096 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL You may want to disable 3DES nowadays. -- Emmanuel Dreyfus manu at netbsd.org