-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gromox/{imap,pop3} don't support configuration of TLSv1.2/1.3 ciphers (and ordering) #90
Comments
Having to edit cipher lists for every individual daemon does not scale very well for an administrator. Gromox thus decided not to offer this and instead just reuse the global (system-wide) configuration. If you want to include or exclude specific TLS versions or ciphers, you do that via openssl.cnf, cf. config(5) manpage section "SSL Configuration". https://en.opensuse.org/SDB:Crypto-policies |
I kindly disagree, because especially "crypto-policies" have the disadvantage to only provide one crypto policy per crypto (library) implementation, but not one per specific daemon/service/software. Aside of that, I don't see how "crypto-policies" would allow to configure server-side ordering preference of ciphers (e.g. performance optimized ciphers vs. stronger ciphers first). To avoid misunderstandings: My expectation would be to have whatever OpenSSL and crypto-policies define as system-wide defaults, but allow optionally to override using specific settings in the corresponding gromox configuration files (it already works like this for other system services, such as Postfix). |
As of writing,
gromox/{imap,pop3}
don't support configuration of TLSv1.2/1.3 ciphers (and ordering). What is missing equals actually NGINX settingsssl_ciphers
(TLSv1.2),ssl_prefer_server_ciphers
(TLSv1.2) andssl_ecdh_curve
(TLSv1.3). Any chance to have this in the future?IIRC Zarafa (and later Kopano Core as a fork) supported at least the TLSv1.2-compatible part due to https://github.com/robert-scheck/zarafa-patches/blob/main/zarafa-7.1.10-ssl_protocols_ciphers.patch, which might be an inspiration for implementation.
Technical Guideline TR-02102-2: Cryptographic Mechanisms: Recommendations and Key Lengths from the German Federal Office for Information Security ("BSI") recommends specific ciphers, which unfortunately can currently not be configured in
gromox/{imap,pop3}
.The text was updated successfully, but these errors were encountered: