Hi, Patch attached.While at it we might as well also let the user set tls_honor_cipher_order if they want to so that the order of cipher specified using tls_cipher_list is honored.
By default false, so changes nothing.For expert uses might give clients a bit of extra performance by using the cheaper but still safe ciphers.
I would recommend going for a list as the one Mozilla have research for browsers since most clients use same SSL-libraries for both their browser and mail client. This is often the case on unix (openssl) and Windows.
Hope you'll merge, Kristian -- My configuration for reference: #https://wiki.mozilla.org/Security/Server_Side_TLStls_cipher_list: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A
ES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA -AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-R SA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:D ES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-C BC3-SHA #tls_ec: prime256v1 tls_tlsonly: true tls_honor_cipher_order: true
Attachment:
patch-tls_honor_cipher_order
Description: Binary data
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
