Patch for adding tls_honor_cipher_order
Wolfgang Breyha
wbreyha at gmx.net
Thu Oct 23 10:04:47 EDT 2014
Kristian Kræmmer Nielsen wrote on 17/10/14 15:13:
> The more important part of my previous mail are that there are issues with
> the patches that now have been merged into git. E.g. compression is not
> merged correctly and it is recommended to do negative list and not
> positive lists of protocols.
Yes, you're right. The patches in master tree have broken logic...
Option documentation says:
tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2
Disable SSL/TLS protocols not in this list.
Code says:
+ if (strstr(tls_versions, "tls1_2") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL)
+ off |= SSL_OP_NO_TLSv1_2;
+#else
+ syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient");
+#endif
+ }
Setting the NO_TLSv1_2 option does the opposite of the expected/wanted
behavior. I also would prefer a negative list as most other daemons like
apache, exim, ... use. Maybe a more generic
tls_openssl_options: no_ssl2 no_ssl3 no_compression prefer_server_cipher_order
would be better?
And yes, you're also right with mentioning that functionality is missing.
tls_compression: 0
Enable TLS compression. Disabled by default.
tls_eccurve: prime256v1
Select the elliptic curve used for ECDHE.
description is there, but there is no code doing it actually. Support for ECDH
auto mode in Openssl 1.2+ as provided in
https://bugzilla.cyrusimap.org/attachment.cgi?id=1535
is missing in the documentation as well.
I think this should be fixed/enhanced for a alpha release of 2.5.
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha at gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria
More information about the Info-cyrus
mailing list