search for: anull

...l Dreyfus wrote: > On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote: >> Hello, >> about the CVE-2015-0204, in apache the following config seems to disable >> this vulnerability: >> SSLProtocol All -SSLv2 -SSLv3 >> SSLCipherSuite >> HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 >> >> Is something similar possible with dovecot ? > I use this with some succes: > > # dovecot has built-in protection against BEAST, therefore no need > # to remove -SSLv2-SHA1:-TLSv10-SHA1 > ssl_protocols = !SSLv2 !SSLv3 &gt...

...works fine. I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2 The certificate is from Comodo using sha256. Any idea? Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------...

...ecot 2.2.15 I want pop3s, so I made /usr/local/etc/dovecot/local.conf ssl = yes ssl_cert = </usr/local/etc/dovecot/server.pem ssl_key = </usr/local/etc/dovecot/server.key ssl_ca = </usr/local/etc/dovecot/ca.pem ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4 It's work fine. But, change ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4 ( SSLV3 -> SSLv3 ) I did trouble. /var/log/maillog Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx,...

...ecking for file ?lbmisc/DESCRIPTION? ... OK * this is package ?lbmisc? version ?0.3.0? * checking CRAN incoming feasibility ...* Trying 172.23.0.30... * TCP_NODELAY set * Connected to (nil) (172.23.0.30) port 8080 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@ STRENGTH * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Curl_http_done: called premature == 0 * Closing connection 0 * Trying 172.23.0.30... * TCP_NODELAY set * Connect...

...84:ECDHE-RSA- > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- > CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > This looks rather cumbersome way to define ciphers. > > > 1. Are these settings good or can be improved? > > 2. Is this line proper: > > ssl_...

...ou could define by ssl_cipher_list see "openssl ciphers -v? Hi Alexander and list, I think there may be a discrepancy in the documentation. On the wiki on the ?Dovecot SSL Configuration? page [1] under the section ?SSL security settings? it says: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL In the conf.d/10-ssl.conf it states: # SSL protocols to use #ssl_protocols = !SSLv2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL My new question is: 1. Are the SSL/TLS protocols to use and/or exclude specified in ?ssl_protocols?, ?ssl_cipher_list? or...

Hello, about the CVE-2015-0204, in apache the following config seems to disable this vulnerability: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 Is something similar possible with dovecot ? If yes, what are the implications with old mail clients ? -- Best regards, Adrian Minta

...cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL dovecot does not care about BEAST, since attacker cannot inject trafic. Therefore the cipher list get simplier in dovecot.conf: ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL :!eNULL But that list is good for browsers. I am not aware of documenta...

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

...SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA 1. Are these settings good or can be improved? 2. Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have belo...

...ss_min_avail = 3 service_count = 1 user = dovecot ##vsz_limit = 1M } service imap { executable = /usr/dovecot2/libexec/dovecot/imap process_limit = 512 ##vsz_limit = 256 } ssl = yes ssl_cert = <//etc/ssl/certs/wilcard.nk.ca.2018.chain.cert ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:aNULL: !NULL : !RC2 : !RC4 : !SEED : !IDEA : !SSLv3 ssl_key = </etc/ssl/certs/wilcard.nk.ca.2018.key verbose_ssl = yes ssl_dh=</usr/dovecot2/etc/dovecot/ssl/dh.pem userdb { driver = passwd } userdb { args = /etc/passwd driver = passwd-file } protocol imap { imap_client_workarounds = dela...

...at dovecot.fi>: > > > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> > wrote: > > > > > > Thank You for answers. But: > > 1. How should be properly configured ssl_cipher_list? > > ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:! > 3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > To disable non-EC DH, use: > > ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > > 2. Ok, removed !TLSv1 !TLSv1.1. > > 3....

...service pop3 { executable = /usr/dovecot2/libexec/dovecot/pop3 process_limit = 512 } ssl_cert = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.2016.chain.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:aNULL ssl_key = # hidden, use -P to show it userdb { driver = passwd } userdb { args = /etc/passwd driver = passwd-file } verbose_ssl = yes...

...f them had a real solution on >> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. >> >> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 >> >> ssl_cert = </var/qmail/control/servercert.pem >> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH >> ssl_dh_parameters_length = 2048 >> ssl_key = </var/qmail/control/servercert.pem >> ssl_protocols = !SSLv2 !TLSv1.2 >> >> The certificate is from Comodo using sha256. >> >> Any idea? >> >> Oliver >> >there is no...

> On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> wrote: > > > Thank You for answers. But: > 1. How should be properly configured ssl_cipher_list? ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > 2. Ok, removed !TLSv1 !TLSv1.1. > 3. Strange thing with ssl_protocols and ssl_ci...

...o parse and avoiding duplicative or deprecated configs? The behavior is also pretty strange; if I have something like one of the following, with or without $ssl_protocols set to exclude SSLv2 and SSLv3: ssl_cipher_list = HIGH:!MEDIUM:!LOW:!SSLv3 ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:!MEDIUM TLS v1.0 and v1.1 get disabled as well. I also can't seem to explicitly enable TLS 1.0 or 1.1 in $ssl_cipher_list. w

...of them had a real solution on >> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. >> >> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 >> >> ssl_cert = </var/qmail/control/servercert.pem >> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH >> ssl_dh_parameters_length = 2048 >> ssl_key = </var/qmail/control/servercert.pem >> ssl_protocols = !SSLv2 !TLSv1.2 >> >> The certificate is from Comodo using sha256. >> >> Any idea? >> >> Oliver >> > > there is n...

...conf.d/10-ssl.conf +++ b/doc/example-config/conf.d/10-ssl.conf @@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_dh_parameters_length = 1024 # SSL protocols to use -#ssl_protocols = !SSLv2 +#ssl_protocols = !SSLv3 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 4a05045..6b43f6c 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -44,7 +44,11 @@ static const struct master_service_ssl_sett...

...>> > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > >> > >> To disable non-EC DH, use: > >> > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > >> > >> > 2. Ok, removed !TLSv1 !TLSv1.1. > >> > 3. Strange thing with ssl_protocols and ssl_cipher_list, because on > >> older > >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and...

...ptographic primitives after the Dual EC DRBG debacle. >From what I can tell, the following will prevent the use of NIST's curves (along with other dangerous primitives) in Dovecot, but this is accomplished by simply disabling EECDH entirely. ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH This should still retain forward secrecy through the use of EDH, but this doesn't leave much in the way of allowable algorithms on my server: $ openssl ciphers -V 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH' 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx...