On 10/20/2014 11:18 AM, Roger Cornelius wrote: > According to https://www.digitalocean.com/community/tutorials/how-to- > protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can > be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list > config option. Is that not correct?
Doing so will drop support for TLS 1.0 and 1.1 too (leaving 1.2 only). This is explained by the fact that all the ciphers defined by SSLv3 are also shared by TLS 1.0 and 1.1 so removing them only leaves those added by TLS 1.2. $ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL' | wc -l 77 $ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3' | wc -l 28 This is generally not advisable because many email clients do not support TLS 1.2. The article should be fixed. Simon -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/1381537 Title: Dovecot version in precise too old to switch off SSLv3 protocol for "poodle" fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
