cyrus 2.4.17 TLS woes
Patrick Goetz
pgoetz at mail.utexas.edu
Thu Jan 15 13:44:34 EST 2015
On 01/15/2015 10:04 AM, Wolfgang Breyha wrote:
> Maybe
> https://bettercrypto.org/
> is of help.
>
Thanks for both writing and sharing that document. Unfortunately it
only has this to say about cyrus-imap:
-------------------------------------------------
Limiting the ciphers provided may force (especially older) clients to
connect without encryption at all! Sticking to the defaults is recommended
If you still want to force strong encryption use
tls_cipher_list:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+\
aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!\
eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\
SHA:CAMELLIA128-SHA:AES128-SHA
-------------------------------------------------
OK, but then what is the default? The imapd.conf man page only tells us
this:
tls_cipher_list: DEFAULT
I guess my real concern is recent SSL exploits. Maybe if I'm only using
STARTTLS this isn't a worry anyway?
More information about the Info-cyrus
mailing list