Patch for adding tls_honor_cipher_order
Kristian Kræmmer Nielsen
jkkn at jkkn.dk
Thu Oct 16 13:32:30 EDT 2014
Hi,
Patch attached.
While at it we might as well also let the user set tls_honor_cipher_order
if they want to so that the order of cipher specified using
tls_cipher_list is honored.
By default false, so changes nothing.
For expert uses might give clients a bit of extra performance by using the
cheaper but still safe ciphers.
I would recommend going for a list as the one Mozilla have research for
browsers since most clients use same SSL-libraries for both their browser
and mail client. This is often the case on unix (openssl) and Windows.
Hope you'll merge,
Kristian
--
My configuration for reference:
#https://wiki.mozilla.org/Security/Server_Side_TLS
tls_cipher_list:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A
ES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA
-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-R
SA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S
HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:D
ES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-C
BC3-SHA
#tls_ec: prime256v1
tls_tlsonly: true
tls_honor_cipher_order: true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_honor_cipher_order
Type: application/octet-stream
Size: 1760 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20141016/cfeaedc4/attachment.obj
More information about the Cyrus-devel
mailing list