similar to: openssh and SSLv2 ciphers

I've set up a list of ciphers that excludes SSLv2 ciphers (and other weak ones) in the hope of preventing SSLv2 connections: ssl_cipher_list = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : @STRENGTH However, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to plug that "hole". I see Dovecot2 had

I have dovecot running as a pop3s server on port 995 it works great with sendmail and I run nessus to check security issues nessus reports this The SSLv2 server offers 3 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I

On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > >

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at all and dovecot's defaults simply make OpenSSL error out with "Unknown protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL seems to know something about it. While at it, it's also a good idea to disable SSLv3 by default as well. [1] https://bugs.debian.org/844347

Everyone, I am having an issue with getting anonymous ssl ciphers disabled in dovecot. I have googled like crazy to find the solution with no help. Here is my doveconf -n # 1.2.5: /etc/dovecot.conf # OS: Linux 2.6.18-92.el5 x86_64 CentOS release 5.2 (Final) nfs log_path: /var/log/dovecot ssl_cert_file: /etc/ssl/islandemail.com.wild.cert ssl_key_file: /etc/ssl/islandemail.com.wild.key

> On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > Am 29.07.2018 um 21:02 schrieb J Doe: >> Hello, >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. >> In: 10-ssl.conf there are two parameters: >> ssl_protocols >> ssl_cipher_list >> ssl_protocols is commented with ?SSL protocol to

Hello, I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. In: 10-ssl.conf there are two parameters: ssl_protocols ssl_cipher_list ssl_protocols is commented with ?SSL protocol to use? and ssl_cipher_list is commented with ?SSL ciphers to use?. If I want to disable SSLv3, for example, do I need to use both parameters or will disabling SSLv3 ciphers in

Hi Timo, reading this http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/ it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use with apple mail ( if no ECDHE is possible ,by missing openssl 1.x etc, seems that apple mail tries ECDHE first if fails its going to use RSA-AES128-SHA ) force soltution as tried ssl_cipher_list =

CentOS 7 Dovecot 2.2.36 Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<> Was working fine for over a year, until the cert expired and I replaced it. I've tried the good cert I have for

On Tue, Dec 02, 2014 at 08:34:50AM -0800, Darren Pilgrim wrote: > On 12/1/2014 9:44 PM, Will Yardley wrote: > > On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > >> On 12/1/2014 4:43 PM, Will Yardley wrote: > >>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config > >>> (in a way that's sane)? > >> >

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10

Hi, after the upgrade from dovecot 2.0.13 (ubuntu oneiric) to dovecot 2.0.19 (ubuntu precise), in my logs I have a lot of these errors: Jun 23 00:20:29 server1 dovecot: master: Error: service(imap-login): child 6714 killed with signal 11 (core dumps disabled) I tested 2.0.21 and the problem is still here. The problem seems to appear only when the client is ms outlook, thunderbird works fine

Hello everybody, I am working on a project trying to port openSSH and have noticed that some of the components rely on SSL which is a pretty big program as well. Is there any way to just rip out certain modules from SSL to get openSSH to work with out porting all of the SSL components, and if so what are the only SSL modules I need to get SSH to work properly. Any help will be greatly

Hi, I have noticed the 'ssl_cipher_list' directive in the 1.0-test snapshots which is not in 0.99. It's default value seems to be "all:!low". However, this would not be compatible with openssl's cipher listing format. Thus, I would vote to change it's format to be openssl compatible. To be compatible, it has to be changed to "ALL:!LOW" (just upercased in

On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com> wrote: > >> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr> wrote: >> >> The site is rated "C" > > The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. > >

First, when I tried to start sshd, I got the message Starting sshd: ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). sshd: no RSA support in libssl and libcrypto -- exiting. See ssl(8) no RSA support in libssl and libcrypto -- exiting. See ssl(8) So I thought I have to recompile openssl with rsaref flag to config. When I did that, I got compilation error (this is version 0.9.5

Hi All. In curl manual: --ciphers -> "(SSL) Specifies which ciphers to use in the connection. The list of ciphers must specify valid ciphers. Read up on SSL cipher list details on this URL:http://www.openssl.org/docs/apps/ciphers.html" In openssl: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES there are names such as "SSL_RSA_WITH_RC4_128_SHA RC4-SHA" but