ssl: change to more secure default ssl_cipher_list

diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
index cb77799e2c386b4bd8b8dffb13bf9ab39eb42314..c7756cabb343ada3ef74f61e5d1c20d3c00e1728 100644 (file)
--- a/doc/example-config/conf.d/10-ssl.conf
+++ b/doc/example-config/conf.d/10-ssl.conf
@@ -54,8 +54,10 @@ ssl_key = </etc/ssl/private/dovecot.pem
 # SSL protocols to use
 #ssl_protocols = !SSLv3
 
-# SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
 # Colon separated list of elliptic curves to use. Empty value (the default)
 # means use the defaults from the SSL library. P-521:P-384:P-256 would be an

diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
index fb6cd16cff187fa95ebc4a1300435b964b5d861d..1a3c4f7d8a39487ece420a894601588702a39ed6 100644 (file)
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -46,7 +46,7 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti
        .ssl_key = "",
        .ssl_key_password = "",
        .ssl_dh = "",
-       .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
+       .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
        .ssl_curve_list = "",
 #ifdef SSL_TXT_SSLV2
        .ssl_protocols = "!SSLv2 !SSLv3",