Patch for adding tls_honor_cipher_order

Kristian Kræmmer Nielsen jkkn at jkkn.dk
Fri Oct 17 08:48:31 EDT 2014


Hi,

"already" - I see you just added it ;-)

But really great Jeroen for implementing these - thanks.

Just a few comments - I see you also added tls_compression - maybe you  
should consider also actually implementing it? ;-)

Also I would recommend logging a failure if a wrong tls_eccurve is  
specified as I do - you may also want to use openssl's automatic method of  
enabled the elliptic curve instead of prime256v1.

I would recommend that you change tls_versions to a negative list instead  
of a possible list and thereby follow the nature of openssl and other  
projects, eg. sendmail, apache. The reasoning for this is that you want to  
disable old protocols but always automatically want to support newer  
protocols. At the moment you have no control over possible newer protocols  
which openssl support. They would with your patch be added anyway so the  
list would only specify a subset of protocols actually known by cyrus  
imap. E.g. if openssl starts to support e.g. tls1.3 that would actually be  
supported in cyrus without any upgrade but be counterintuitive since it  
would not have to be listed in tls_versions.

Turning it around also makes transitioning easier for administrators, so  
they do not have to make sure to update their protocol list in Cyrus IMAP  
upon updating e.g. OpenSSL. Hence the SSL_OP_NO-options are "no"-options.

/Kristian

On Fri, 17 Oct 2014 12:34:21 +0200, Jeroen van Meeuwen (Kolab Systems)  
<vanmeeuwen at kolabsys.com> wrote:

> On 2014-10-16 19:32, Kristian Kræmmer Nielsen wrote:
>> Hi,
>>  Patch attached.
>>
>
> Something similar is already in cyrus-imapd-2.4:
>
>     
> http://git.cyrusimap.org/cyrus-imapd/commit/?h=cyrus-imapd-2.4&id=4b26d2d7244eeaa481871c337e57cd393fd76dfe
>
> For master / 2.5, I have a push pending of a similar nature, while it  
> also addresses some client vs. server certificate chain configuration  
> options (i.e. Internet-facing public CA, verify client certificates  
> against private CA, offer client certificates between Cyrus IMAP  
> servers, and allow requiring certs to be set to "optional" or  
> "required").
>
> Kind regards,
>
> Jeroen van Meeuwen


More information about the Cyrus-devel mailing list