0

I have the following cipher suite on Apache:

#TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384

But how can I implement the same Cipher suite on Dovecot? I have tried this, but still TLSv1.3 is unchanged, and even TLSv1.2 does not have any change.

ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384

Btw, I am using Dovecot SASL for postfix. I am unsure if that matters, but it might.

  • Uhm, `TLSv1.3` is not a Cipher, it's a protocol. Setting `TLSv1.3` in `SSLCipherSuite` does nothing, it belongs into the `SSLProtocol` directive. – Gerald Schneider Dec 27 '20 at 12:19
  • What exactly are you trying to accomplish? Do you want to specify the ciphers to use or the protocol versions to use? – Gerald Schneider Dec 27 '20 at 12:19
  • @GeraldSchneider Setting TLSv1.3 in the `SSLCipherSuite` directive works for me. I can set ciphers specifically for TLSv1.3. I got that from this answer:https://serverfault.com/questions/1047616/how-to-disable-aes128-in-apache –  Dec 27 '20 at 12:27
  • Oh, okay. I wasn't aware of that syntax. You always learn something new. – Gerald Schneider Dec 27 '20 at 12:40
  • @GeraldSchneider :) –  Dec 27 '20 at 13:21
  • Based on the code there should be some `ssl_ciphersuites` option since 2.3.9 - see [this commit](https://github.com/dovecot/core/commit/8f6f04eb21276f28b81695dd0d3df57c7b8f43e4). It should expect a syntax like described in [SSL_CTX_set_ciphersuites](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html). But I cannot see it documented. – Steffen Ullrich Dec 27 '20 at 14:00
  • `ssl_cipher_list` is briefly mentioned on the [dovecot doc](https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/#ssl-security-settings) but I can't seem to find documentation for `ssl_ciphersuites`.. – Ginnungagap Dec 27 '20 at 19:08
  • @Ginnungagap yep me too. –  Dec 28 '20 at 02:59
  • Apparently this is the same question that you have [asked for Postfix](https://serverfault.com/questions/1049169/how-to-disable-tls-aes-128-gcm-sha256-or-how-to-set-tlsv1-3-ciphers-in-postfi). The same applies here: you shouldn't remove try and remove `TLS_AES_128_GCM_SHA256` from TLS 1.3. – Esa Jokinen Jan 09 '21 at 14:04
  • @EsaJokinen, I had deleted this question. But, because someone told me not to keep deleting, I undeleted this I think. You could help me disable Client Initiated renegotiation [here](https://serverfault.com/questions/1049091/how-do-i-disable-secure-client-initiated-renegotiation-on-dovecot), after all this question doesn't make sense anymore... –  Jan 09 '21 at 14:44

0 Answers0