Disallowing SSLv2

Dennis Davis D.H.Davis at bath.ac.uk
Fri Jun 4 11:33:50 EDT 2010


On Fri, 4 Jun 2010, Raphael Jaffey wrote:

> From: Raphael Jaffey <rjaffey at artic.edu>
> To: Lorenzo Marcantonio <l.marcantonio at logossrl.com>
> Cc: "Rosenbaum, Larry M." <rosenbaumlm at ornl.gov>,
>     "info-cyrus at lists.andrew.cmu.edu" <info-cyrus at lists.andrew.cmu.edu>
> Date: Fri, 4 Jun 2010 15:41:54
> Subject: Re: Disallowing SSLv2
> 
> Lorenzo Marcantonio wrote:
> > On Fri, 4 Jun 2010, Rosenbaum, Larry M. wrote:
> > 
> >> How do I tell Cyrus IMAP to not allow SSLv2?
> > 
> > I used this in imapd.conf:
> > 
> > tls_cipher_list: ALL:!ADH:!EXP:!MD5:!LOW
> >
> 
> You need to add !SSLv2 to your example to get the desired effect:
> 
> tls_cipher_list: ALL:!SSLv2:!ADH:!EXP:!MD5:!LOW

I currently use:

# Insist on "proper", rather than "mickey-mouse", ciphers.  We'll
# expect to see high (key length > 128 bits) or medium (key length
# of 128 bits) ciphers, sorted by strength.
tls_cipher_list: HIGH:MEDIUM:@STRENGTH

To exclude SSLv2 ciphers as well, I'd write that as:

tls_cipher_list: HIGH:MEDIUM:!SSLv2:@STRENGTH
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101


More information about the Info-cyrus mailing list