[Bug 1381537] Re: Dovecot version in precise too old to switch off SSLv3 protocol for "poodle" fix
Simon Déziel
1381537 at bugs.launchpad.net
Mon Oct 20 15:35:19 UTC 2014
On 10/20/2014 11:18 AM, Roger Cornelius wrote:
> According to https://www.digitalocean.com/community/tutorials/how-to-
> protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
> be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list
> config option. Is that not correct?
Doing so will drop support for TLS 1.0 and 1.1 too (leaving 1.2 only).
This is explained by the fact that all the ciphers defined by SSLv3 are
also shared by TLS 1.0 and 1.1 so removing them only leaves those added
by TLS 1.2.
$ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL' | wc -l
77
$ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3' | wc -l
28
This is generally not advisable because many email clients do not
support TLS 1.2. The article should be fixed.
Simon
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol for
"poodle" fix
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+subscriptions
More information about the Ubuntu-server-bugs
mailing list