[PATCH 1/2] services: dovecot: Prefer server ciphers by default.

  • Open
  • quality assurance status badge
Details
One participant
  • Herman Rimm
Owner
unassigned
Submitted by
Herman Rimm
Severity
normal
H
H
Herman Rimm wrote on 17 Mar 16:34 +0100
(address . guix-patches@gnu.org)(name . Herman Rimm)(address . herman@rimm.ee)
20240317153440.27064-1-herman@rimm.ee
* gnu/services/mail.scm (dovecot-configuration): Add
'ssl-prefer-server-ciphers?' field.
* doc/guix.texi (Mail Services)[Dovecot Service]: Describe field.

Change-Id: I1ea7c53466ebc3b01082938b5d9dee47c683017d
---
doc/guix.texi | 5 +++++
gnu/services/mail.scm | 7 +++++++
2 files changed, 12 insertions(+)

Toggle diff (46 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index eca1cb3712..b58ed90b2f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26989,6 +26989,11 @@ Time to delay before replying to failed authentications.
Defaults to @samp{"2 secs"}.
@end deftypevr
+@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-prefer-server-ciphers?
+Prefer a server's allowed cipher list over own cipher list.
+Defaults to @samp{#t}.
+@end deftypevr
+
@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
Require a valid SSL client certificate or the authentication
fails.
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index afe1bb6016..cd3f961094 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de>
;;; Copyright © 2023 Thomas Ieong <th.ieong@free.fr>
;;; Copyright © 2023 Saku Laesvuori <saku@laesvuori.fi>
+;;; Copyright © 2024 Herman Rimm <herman@rimm.ee>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1261,9 +1262,15 @@ (define-configuration dovecot-configuration
intend to use @samp{ssl-verify-client-cert? #t}. The file should
contain the CA certificate(s) followed by the matching
CRL(s). (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).")
+
+ (ssl-prefer-server-ciphers?
+ (boolean #t)
+ "Prefer the server’s cipher list over a client’s cipher list.")
+
(ssl-require-crl?
(boolean #t)
"Require that CRL check succeeds for client certificates.")
+
(ssl-verify-client-cert?
(boolean #f)
"Request client to send a certificate. If you also want to require
--
2.41.0
H
H
Herman Rimm wrote on 17 Mar 16:38 +0100
[PATCH 2/2] services: dovecot: Bump minimum supported SSL protocol.
(address . 69858@debbugs.gnu.org)(name . Herman Rimm)(address . herman@rimm.ee)
20240317153925.27190-1-herman@rimm.ee
* gnu/services/mail.scm (dovecot-configuration): Set 'ssl-min-protocol'
to "TLSv1.2".

Change-Id: I0d317a54d46523229fcd475eb6ae2239fd0726e9
---
gnu/services/mail.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index cd3f961094..f500a62664 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1283,7 +1283,7 @@ (define-configuration dovecot-configuration
@samp{auth-ssl-username-from-cert? #t}.")
(ssl-min-protocol
- (string "TLSv1")
+ (string "TLSv1.2")
"Minimum SSL protocol version to accept.")
(ssl-cipher-list
--
2.41.0
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 69858@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 69858
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch