> On 30 July 2018 at 21:42 J Doe <[email protected]> wrote: > > > > > On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <[email protected]> wrote: > > > > Am 29.07.2018 um 21:02 schrieb J Doe: > >> Hello, > >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. > >> In: 10-ssl.conf there are two parameters: > >> ssl_protocols > >> ssl_cipher_list > >> ssl_protocols is commented with “SSL protocol to use” and ssl_cipher_list > >> is commented with “SSL ciphers to use”. > >> If I want to disable SSLv3, for example, do I need to use both parameters > >> or will disabling SSLv3 ciphers in > >> ssl_cipher_list do the same thing ? > >> So is: > >> ssl_cipher_list = !SSLv3 > >> …equivalent to: > >> ssl_protocols = !SSLv3 > >> ssl_cipher_list = !SSLv3 > > > > > > No. SSLv3 is not a cipher but a protocol. > > > > "ssl_protocols = !SSLv2 !SSLv3" is what you want to specify. > > > > For ciphers you could define by ssl_cipher_list see "openssl ciphers -v” > > Hi Alexander and list, > > I think there may be a discrepancy in the documentation. > > On the wiki on the “Dovecot SSL Configuration” page [1] under the section > “SSL security settings” it says: > > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > In the conf.d/10-ssl.conf it states: > > # SSL protocols to use > #ssl_protocols = !SSLv2 > > # SSL ciphers to use > #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > My new question is: > > 1. Are the SSL/TLS protocols to use and/or exclude specified in > “ssl_protocols”, “ssl_cipher_list” or both ? >
You can use SSLv2 ciphers with TLSv1.2 protocol, if enabled. ssl protocol defines which protocol(s) to support. ssl_cipher_list defines which cipher(s) to support. They are not the same thing. Aki > Thanks, > > - J > > Sources: > [1] See: https://wiki2.dovecot.org/SSL/DovecotConfiguration
