Patch for adding tls_honor_cipher_order
Bron Gondwana
brong at fastmail.fm
Thu Oct 16 16:31:47 EDT 2014
So my plan is to merge this with Ken while we're at CMU next week, and also patch 2.4 and 2.3 and do releases of them. I agree that we should do it.
Bron.
On Thu, Oct 16, 2014, at 01:32 PM, Kristian Kræmmer Nielsen wrote:
> Hi,
>
> Patch attached.
>
> While at it we might as well also let the user set tls_honor_cipher_order
> if they want to so that the order of cipher specified using
> tls_cipher_list is honored.
>
> By default false, so changes nothing.
>
> For expert uses might give clients a bit of extra performance by using the
> cheaper but still safe ciphers.
>
> I would recommend going for a list as the one Mozilla have research for
> browsers since most clients use same SSL-libraries for both their browser
> and mail client. This is often the case on unix (openssl) and Windows.
>
> Hope you'll merge,
> Kristian
>
> --
>
> My configuration for reference:
>
> #https://wiki.mozilla.org/Security/Server_Side_TLS
> tls_cipher_list:
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A
> ES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA
> -AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-R
> SA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S
> HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:D
> ES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-C
> BC3-SHA
>
> #tls_ec: prime256v1
> tls_tlsonly: true
> tls_honor_cipher_order: true
> Email had 1 attachment:
> + patch-tls_honor_cipher_order
> 2k (application/octet-stream)
--
Bron Gondwana
brong at fastmail.fm
More information about the Cyrus-devel
mailing list