A new user interface for you! Read more...

File dovecot-2.2.18-better_ssl_defaults.patch of Package dovecot22.openSUSE_13.2_Update

Index: dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf
===================================================================
--- dovecot-2.2.18.orig/doc/example-config/conf.d/10-ssl.conf
+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf
@@ -9,8 +9,8 @@
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/private/dovecot.crt
-ssl_key = </etc/ssl/private/dovecot.pem
+#ssl_cert = </etc/ssl/private/dovecot.crt
+#ssl_key = </etc/ssl/private/dovecot.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -43,20 +43,20 @@ ssl_key = </etc/ssl/private/dovecot.pem
 #ssl_cert_username_field = commonName
 
 # DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+ssl_dh_parameters_length = 2048
 
 # SSL protocols to use
-#ssl_protocols = !SSLv2
+ssl_protocols = !SSLv2 !SSLv3
 
 # SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
 # Prefer the server's order of ciphers over client's.
-#ssl_prefer_server_ciphers = no
+ssl_prefer_server_ciphers = yes
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
 
 # SSL extra options. Currently supported options are:
 #   no_compression - Disable compression.
-#ssl_options =
+ssl_options = no_compression
Index: dovecot-2.2.18/src/lib-master/master-service-ssl-settings.c
===================================================================
--- dovecot-2.2.18.orig/src/lib-master/master-service-ssl-settings.c
+++ dovecot-2.2.18/src/lib-master/master-service-ssl-settings.c
@@ -43,8 +43,8 @@ static const struct master_service_ssl_s
 	.ssl_cert = "",
 	.ssl_key = "",
 	.ssl_key_password = "",
-	.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
-	.ssl_protocols = "!SSLv2",
+	.ssl_cipher_list = "ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
+	.ssl_protocols = "!SSLv2 !SSLv3",
 	.ssl_cert_username_field = "commonName",
 	.ssl_crypto_device = "",
 	.ssl_verify_client_cert = FALSE,
Index: dovecot-2.2.18/src/lib-sql/driver-mysql.c
===================================================================
--- dovecot-2.2.18.orig/src/lib-sql/driver-mysql.c
+++ dovecot-2.2.18/src/lib-sql/driver-mysql.c
@@ -156,7 +156,7 @@ static void driver_mysql_parse_connect_s
 	const char *const *args, *name, *value;
 	const char **field;
 
-	db->ssl_cipher = "HIGH";
+	db->ssl_cipher = "ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH";
 	db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */
 
 	args = t_strsplit_spaces(connect_string, " ");