[Users] SSL cipher recommendations - was Re: Dovecot 2.2.34 can break your world

Brian Morrison bdm at fenrir.org.uk
Thu Mar 15 12:15:58 CET 2018


On Wed, 14 Mar 2018 20:20:44 -0400
Steve Litt wrote:

> you need to manually write in uncommented SSLv3
> in 10-ssl.conf everywhere commented SSLv2 occurs.

While this might make things work, it's worth pointing out that SSLv3
is regarded as very insecure these days, so it's better to use a list of
defined ciphers in your SSL configs.

This link:

https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

provides some information on what is good and bad, naturally it's
sensible to back up your various configs before making changes.

It's interesting to look at ssh logs after these changes, if you run
public facing servers there is a big increase in failed sessions
because the other end doesn't support crypto that has been in public
use for 20 years and is recommended for these uses.

-- 

Brian Morrison



More information about the Users mailing list