On Mon, 15 Nov 2004, OpenMacNews wrote: > but, why is "imapd -s is for IMAP connections that are externally wrapped > by SSL" --> considered "BAD"?
Because TLS allows one to select which certificate to present, and SSL doesn't. SSLv3 is pretty much as good as TLSv1 otherwise (but I gather that TLSv1 has a better method to setup the shared symetrical key). SSLv2 should not be used at all if you can help it, it has even more weaknesses, to the point that TLS servers will effectively deny SSLv2 connections to anything they detect to support TLS :). SSLv1 is an absolute no. > i presume, then, that SSLvX *starts* encrypted ... hence the port 993. > true? Yes. > >BTW add this to imapd.conf: > >tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did some extra reading. > tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH > > i _thought_ the !ADH is there by default ... and i see no reason NOT to > explicitly include (ALL) the high/med grade ciphers. It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the later is better). Try openssl ciphers -v, and you'll see. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
