search for: ssl_protocols

Sorry for the bump... Anyone know if it is possible to have multiple protocols instances with different ssl_protocols settings? Regards. On 07/02/15 00:03, Gionatan Danti wrote: > Hi all, > anyone with some ideas? > > Thanks. > > Il 2015-02-02 23:08 Gionatan Danti ha scritto: >> Hi all, >> I have a question regarding the "ssl_protocols" parameter. >> >> I under...

Hi all, I have a question regarding the "ssl_protocols" parameter. I understand that editing the 10-ssl.conf file I can set the ssl_protocols variable as required. At the same time, I can edit a single protocol file (eg: 20-pop3.conf) to set the ssl_protocols for a specific protocol/listener. I wander if (and how) I can create a different list...

On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > > Yes to both. If you need to support older clients...

I performed a quick test and it seems that the "ssl_protocols" setting is per-IP only and shared among all listeners defined for that address. As you want this setting to be active for one specific "inet_listener" only (with port 10995 in your case), dovecot would have to permit the "ssl_protocols" directive in that scope, which it d...

> On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > Am 29.07.2018 um 21:02 schrieb J Doe: >> Hello, >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. >> In: 10-ssl.conf there are two parameters: >> ssl_protocols >> ssl_cipher_list >> ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. >> If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in >> ssl_cipher_list do t...

Hello, I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. In: 10-ssl.conf there are two parameters: ssl_protocols ssl_cipher_list ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in ssl_cipher_list do the same thing ? So is: ssl_c...

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a way to exclude these ciphers, while still keeping my config >>>> easy to parse and avoiding duplicative or deprecated configs? >>> >>> Yes to...

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!L...

...er-service.c" [20] login_binary_run(binary = 0x8068c50, argc = 2, argv = 0x8047d4c) (optimized), at 0xfee3294a (line ~470) in "main.c" [21] main(argc = 2, argv = 0x8047d4c) (optimized), at 0x8054de7 (line ~706) in "client.c" >> dovecot.conf had: >> ssl_protocols = !SSLv2 !SSLv3 >> >> removing that line stops the core dump and syslog then shows: >> >> Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS ha...

Hi all, anyone with some ideas? Thanks. Il 2015-02-02 23:08 Gionatan Danti ha scritto: > Hi all, > I have a question regarding the "ssl_protocols" parameter. > > I understand that editing the 10-ssl.conf file I can set the > ssl_protocols variable as required. > At the same time, I can edit a single protocol file (eg: 20-pop3.conf) > to set the ssl_protocols for a specific protocol/listener. > > I wander if (and h...

...Start Time: 1426851034 Timeout : 7200 (sec) Verify return code: 0 (ok) --- syslog: Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1] dovecot.conf had: ssl_protocols = !SSLv2 !SSLv3 removing that line stops the core dump and syslog then shows: Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed:...

...conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf index 31b750c..2cd445b 100644 --- a/doc/example-config/conf.d/10-ssl.conf +++ b/doc/example-config/conf.d/10-ssl.conf @@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_dh_parameters_length = 1024 # SSL protocols to use -#ssl_protocols = !SSLv2 +#ssl_protocols = !SSLv3 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 4a05045..6b43f6c 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/s...

The code in ssl_protocols_to_min_protocol() to convert ssl_protocols to min/max values can't cope with strings containing "!SSLv2". dovecot: imap-login: Fatal: Unknown ssl_protocols setting: Unrecognized protocol 'SSLv2' This string might be configured explicitly by the user, or if the user hasn'...

...can't reproduce it. I tried it with the same ssl_* settings you had. Can you get a gdb backtrace from the crash? It says "core dumped", so I guess there should be a core file somewhere. http://dovecot.org/bugreport.html has some more info on how to get it. > dovecot.conf had: > ssl_protocols = !SSLv2 !SSLv3 > > removing that line stops the core dump and syslog then shows: > > Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL...

On 21/03/2015 10:00, James wrote: >>> the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I >>> thought the ssl_protocols setting did. >>> Do I still need, if I ever needed, the "ssl_protocols = " setting? >> >> All these ssl_* settings just go to OpenSSL without Dovecot (or I) >> knowing all that much about them. I think you still need it, but maybe >> it's because your...

Am 21.03.2015 um 11:51 schrieb James: > On 21/03/2015 10:00, James wrote: > >>>> the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I >>>> thought the ssl_protocols setting did. >>>> Do I still need, if I ever needed, the "ssl_protocols = " setting? >>> >>> All these ssl_* settings just go to OpenSSL without Dovecot (or I) >>> knowing all that much about them. I think you still need it, but maybe >>> it...

...vice; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting_define maste DEF(SET_STR, ssl_protocols), DEF(SET_STR, ssl_cert_username_field), DEF(SET_STR, ssl_crypto_device), + DEF(SET_STR, ssl_lowest_version), DEF(SET_BOOL, ssl_verify_client_cert), DEF(SET_BOOL, ssl_require_crl), DEF(SET_BOOL, verbose_ssl), @@ -54,6 +55,7 @@ static const struct master_service_ssl_s .ssl_protocols = &q...

Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail). ssl_protocols = !SSLv2 !SSLv3 results in the following error: dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1> Our smtp...

On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote: >> DEF(SET_STR, ssl_protocols), >> DEF(SET_STR, ssl_cert_username_field), >> DEF(SET_STR, ssl_crypto_device), >> + DEF(SET_STR, ssl_lowest_version), > >Does it really require a new setting? Couldn't it use the existing >ssl_protocols setting? You need to set a minimal version. SSL_PROTOLS can be...

...ay to enable previously disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed protocol versions, taking a linear version approach: the application may request a minimum and a maximum allowed version (inclusive), allowing all versions inbetween as well. Dovecot's existing ssl_protocols option is probably not ideal to use with this new "linear" model. Instead, I introduced two new options, ssl_min_proto_version and ssl_max_proto_version, that map directly to OpenSSL 1.1 concepts. I have tested the patch with both OpenSSL 1.0 and OpenSSL 1.1. With OpenSSL 1.1 it works as...