So my plan is to merge this with Ken while we're at CMU next week, and also patch 2.4 and 2.3 and do releases of them. I agree that we should do it.
Bron. On Thu, Oct 16, 2014, at 01:32 PM, Kristian Kræmmer Nielsen wrote: > Hi, > > Patch attached. > > While at it we might as well also let the user set tls_honor_cipher_order > if they want to so that the order of cipher specified using > tls_cipher_list is honored. > > By default false, so changes nothing. > > For expert uses might give clients a bit of extra performance by using the > cheaper but still safe ciphers. > > I would recommend going for a list as the one Mozilla have research for > browsers since most clients use same SSL-libraries for both their browser > and mail client. This is often the case on unix (openssl) and Windows. > > Hope you'll merge, > Kristian > > -- > > My configuration for reference: > > #https://wiki.mozilla.org/Security/Server_Side_TLS > tls_cipher_list: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A > ES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA > -AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-R > SA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S > HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:D > ES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-C > BC3-SHA > > #tls_ec: prime256v1 > tls_tlsonly: true > tls_honor_cipher_order: true > Email had 1 attachment: > + patch-tls_honor_cipher_order > 2k (application/octet-stream) -- Bron Gondwana br...@fastmail.fm
