similar to: Problem with mysql backend and SSL ciphers

On 17.4.2019 23.00, Kostya Vasilyev via dovecot wrote: > I'm not Aki but hope you don't mind... > > On Wed, Apr 17, 2019, at 10:42 PM, TG Servers via dovecot wrote: >> Hi, >> >> MariaDB documentation says it accepts OpenSSL cipher strings in its >> ssl_cipher parameters like ssl_cipher="TLSv1.2". >> This is also mentioned when creating or

I'm not Aki but hope you don't mind... On Wed, Apr 17, 2019, at 10:42 PM, TG Servers via dovecot wrote: > Hi, > > MariaDB documentation says it accepts OpenSSL cipher strings in its ssl_cipher parameters like ssl_cipher="TLSv1.2". > This is also mentioned when creating or changing users in terms of setting this with the REQUIRE CIPHER parameter like CREATE USER

I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. Now, there is no way to exclude a specific group of one or more TLS versions. For a new bug report, I think we need two new settings: * `ssl_tls13_ciphersuite` and * `ssl_tls10_cipher`

I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. Now, there is no way to exclude a specific group of one or more TLS versions. For a new bug report, I think we need two new settings: * `ssl_tls13_ciphersuite` and * `ssl_tls10_cipher`

Have you considered any alternatives? I'm thinking of IPSec to create a secured network encapsulation channel(s) "above" the TCP connection(s). This would provide encryption with control over cipher(s), and cert validation on both sides (if you used cert auth, not PSK). -- K On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot wrote: > Ok then it seems again a MariaDB

Hey everybody, I'm trying to get mysql master/slave replication to work under SSL. I've created the certs for both the slave and the master. I've configured the master and slave my.cnf. And it does appear that replication is actually working. Master is actually MariaDB (version 5.5.41-MariaDB-log, and the slave is MySQL (version 5.5.41-log). But there are two issues I'd like to

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > >

>> I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. > > There is no need to disable TLSv1.3 and attempts to do so will be flagged as ?downgrade attacks?. Let us ignore TLSv1.2 as a downgrade option. And focus on TLSv1.3 for its entirety of this thread. If the ciphersuite (not cipher for that's a TLSv1.2 term), but a

Hello, I've seen this issue before, running a imap/smtp/database server on localhost and adding in a webmail interface, in this case Roundcube. In my maillog I'm seeing accessive Dovecot connections and logouts just from my own transaction of logging in, going to compose a message, sending, and logging out. I'm using Mysql as database backend and was wondering if there was something

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:

Hello! I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: ?mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I

I am interested in configuring Dovecot's TLS so as to retain forward secrecy, but eliminate all of NIST's elliptic curves. Besides being subject to side channel attacks [1], in some quarters there is a general distrust of NIST's curves and any of their other cryptographic primitives after the Dual EC DRBG debacle. >From what I can tell, the following will prevent the use of

On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot at dovecot.org> wrote: > > On 20.07.2019 22:37, Aki Tuomi via dovecot wrote: >> >>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> <mailto:dovecot at dovecot.org> wrote: >>> >>> >>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: >>>>

On 2015-04-26 18:15, Philipp Schafft wrote: > I tested with both Mozilla's 'Modern' and 'Intermediate' list. Both > work well with all versions of Icecast (official) as well as current -kh. > In that case my suggestion is for libshout to only focus on using the Modern list then as it explicitly excludes DES and RC4 and MD5. While HMAC-MD5 (for some password uses)

On 08 May 2020, at 09:43, Steve Egbert <s.egbert at sbcglobal.net> wrote: > I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. There is no need to disable TLSv1.3 and attempts to do so will be flagged as ?downgrade attacks?. > Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. >

Also, more testimony to the same problem (by others) is posted over at ServerFault (StackOverflow): https://serverfault.com/questions/975871/forcing-dovecot-2-3-4-1-to-use-tlsv1-2 On 5/8/20 11:50 AM, Steve Egbert wrote: > I have an operational need to disable TLSv1.3 due to inadequate support > to exclude certain ciphers. > > Much to my dismay, the `ssl_protocols` had been