Patch for adding tls_honor_cipher_order

Kristian Kræmmer Nielsen jkkn at jkkn.dk
Thu Oct 16 13:32:30 EDT 2014


Hi,

Patch attached.

While at it we might as well also let the user set tls_honor_cipher_order  
if they want to so that the order of cipher specified using  
tls_cipher_list is honored.

By default false, so changes nothing.

For expert uses might give clients a bit of extra performance by using the  
cheaper but still safe ciphers.

I would recommend going for a list as the one Mozilla have research for  
browsers since most clients use same SSL-libraries for both their browser  
and mail client. This is often the case on unix (openssl) and Windows.

Hope you'll merge,
Kristian

--

My configuration for reference:

#https://wiki.mozilla.org/Security/Server_Side_TLS
tls_cipher_list:  
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A
ES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA
-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-R
SA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S
HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:D
ES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-C
BC3-SHA

#tls_ec: prime256v1
tls_tlsonly: true
tls_honor_cipher_order: true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_honor_cipher_order
Type: application/octet-stream
Size: 1760 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20141016/cfeaedc4/attachment.obj 


More information about the Cyrus-devel mailing list