Hello,
I have a question regarding SSL/TLS settings for Dovecot version 2.2.22.
In: 10-ssl.conf there are two parameters:
ssl_protocols
ssl_cipher_list
ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is
commented with ?SSL ciphers to use?.
If I want to disable SSLv3, for example, do I need to use both parameters or
will disabling SSLv3 ciphers in
ssl_cipher_list do the same thing ?
So is:
ssl_cipher_list = !SSLv3
?equivalent to:
ssl_protocols = !SSLv3
ssl_cipher_list = !SSLv3
Thanks,
- J
Alexander Dalloz
2018-Jul-29 22:02 UTC
Restricting SSL/TLS protocol versions on Dovecot 2.2.22
Am 29.07.2018 um 21:02 schrieb J Doe:> Hello, > > I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. > > In: 10-ssl.conf there are two parameters: > > ssl_protocols > ssl_cipher_list > > ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. > > If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in > ssl_cipher_list do the same thing ? > > So is: > > ssl_cipher_list = !SSLv3 > > ?equivalent to: > > ssl_protocols = !SSLv3 > ssl_cipher_list = !SSLv3No. SSLv3 is not a cipher but a protocol. "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. For ciphers you could define by ssl_cipher_list see "openssl ciphers -v"> Thanks, > > - JAlexander
> On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > Am 29.07.2018 um 21:02 schrieb J Doe: >> Hello, >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. >> In: 10-ssl.conf there are two parameters: >> ssl_protocols >> ssl_cipher_list >> ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. >> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in >> ssl_cipher_list do the same thing ? >> So is: >> ssl_cipher_list = !SSLv3 >> ?equivalent to: >> ssl_protocols = !SSLv3 >> ssl_cipher_list = !SSLv3 > > > No. SSLv3 is not a cipher but a protocol. > > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. > > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v?Hi Alexander and list, I think there may be a discrepancy in the documentation. On the wiki on the ?Dovecot SSL Configuration? page [1] under the section ?SSL security settings? it says: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL In the conf.d/10-ssl.conf it states: # SSL protocols to use #ssl_protocols = !SSLv2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL My new question is: 1. Are the SSL/TLS protocols to use and/or exclude specified in ?ssl_protocols?, ?ssl_cipher_list? or both ? Thanks, - J Sources: [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
Seemingly Similar Threads
- Restricting SSL/TLS protocol versions on Dovecot 2.2.22
- Restricting SSL/TLS protocol versions on Dovecot 2.2.22
- Restricting SSL/TLS protocol versions on Dovecot 2.2.22
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help