> On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > Am 29.07.2018 um 21:02 schrieb J Doe: >> Hello, >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. >> In: 10-ssl.conf there are two parameters: >> ssl_protocols >> ssl_cipher_list >> ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. >> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in >> ssl_cipher_list do the same thing ? >> So is: >> ssl_cipher_list = !SSLv3 >> ?equivalent to: >> ssl_protocols = !SSLv3 >> ssl_cipher_list = !SSLv3 > > > No. SSLv3 is not a cipher but a protocol. > > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. > > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v?Hi Alexander and list, I think there may be a discrepancy in the documentation. On the wiki on the ?Dovecot SSL Configuration? page [1] under the section ?SSL security settings? it says: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL In the conf.d/10-ssl.conf it states: # SSL protocols to use #ssl_protocols = !SSLv2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL My new question is: 1. Are the SSL/TLS protocols to use and/or exclude specified in ?ssl_protocols?, ?ssl_cipher_list? or both ? Thanks, - J Sources: [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
> On 30 July 2018 at 21:42 J Doe <general at nativemethods.com> wrote: > > > > > On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > > > Am 29.07.2018 um 21:02 schrieb J Doe: > >> Hello, > >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. > >> In: 10-ssl.conf there are two parameters: > >> ssl_protocols > >> ssl_cipher_list > >> ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. > >> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in > >> ssl_cipher_list do the same thing ? > >> So is: > >> ssl_cipher_list = !SSLv3 > >> ?equivalent to: > >> ssl_protocols = !SSLv3 > >> ssl_cipher_list = !SSLv3 > > > > > > No. SSLv3 is not a cipher but a protocol. > > > > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. > > > > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v? > > Hi Alexander and list, > > I think there may be a discrepancy in the documentation. > > On the wiki on the ?Dovecot SSL Configuration? page [1] under the section ?SSL security settings? it says: > > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > In the conf.d/10-ssl.conf it states: > > # SSL protocols to use > #ssl_protocols = !SSLv2 > > # SSL ciphers to use > #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > My new question is: > > 1. Are the SSL/TLS protocols to use and/or exclude specified in ?ssl_protocols?, ?ssl_cipher_list? or both ? >You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing. Aki> Thanks, > > - J > > Sources: > [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
On 30.07.2018 22:29, Aki Tuomi wrote:>> On 30 July 2018 at 21:42 J Doe <general at nativemethods.com> wrote: >> >> >> >>> On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: >>> >>> Am 29.07.2018 um 21:02 schrieb J Doe: >>>> Hello, >>>> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. >>>> In: 10-ssl.conf there are two parameters: >>>> ssl_protocols >>>> ssl_cipher_list >>>> ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. >>>> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in >>>> ssl_cipher_list do the same thing ? >>>> So is: >>>> ssl_cipher_list = !SSLv3 >>>> ?equivalent to: >>>> ssl_protocols = !SSLv3 >>>> ssl_cipher_list = !SSLv3 >>> >>> No. SSLv3 is not a cipher but a protocol. >>> >>> "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. >>> >>> For ciphers you could define by ssl_cipher_list see "openssl ciphers -v? >> Hi Alexander and list, >> >> I think there may be a discrepancy in the documentation. >> >> On the wiki on the ?Dovecot SSL Configuration? page [1] under the section ?SSL security settings? it says: >> >> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL >> >> In the conf.d/10-ssl.conf it states: >> >> # SSL protocols to use >> #ssl_protocols = !SSLv2 >> >> # SSL ciphers to use >> #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL >> >> My new question is: >> >> 1. Are the SSL/TLS protocols to use and/or exclude specified in ?ssl_protocols?, ?ssl_cipher_list? or both ? >> > You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing. > > AkiI personally used https://www.ssllabs.com/ssltest/analyze.html when I set up my server to get green across the board for the web server and then used the same ciphers for Dovecot and confirmed the result with https://github.com/drwetter/testssl.sh ssl_min_protocol = TLSv1 # New in Dovecot 2.3 iirc. ssl_cipher_list = "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED" ssl_prefer_server_ciphers = yes Good luck, Reio