GNU bug report logs -
#69858
[PATCH 1/2] services: dovecot: Prefer server ciphers by default.
Previous Next
To reply to this bug, email your comments to 69858 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#69858; Package
guix-patches.
(Sun, 17 Mar 2024 15:36:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Herman Rimm <herman <at> rimm.ee>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 17 Mar 2024 15:36:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/services/mail.scm (dovecot-configuration): Add
'ssl-prefer-server-ciphers?' field.
* doc/guix.texi (Mail Services)[Dovecot Service]: Describe field.
Change-Id: I1ea7c53466ebc3b01082938b5d9dee47c683017d
---
doc/guix.texi | 5 +++++
gnu/services/mail.scm | 7 +++++++
2 files changed, 12 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index eca1cb3712..b58ed90b2f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26989,6 +26989,11 @@ Time to delay before replying to failed authentications.
Defaults to @samp{"2 secs"}.
@end deftypevr
+@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-prefer-server-ciphers?
+Prefer a server's allowed cipher list over own cipher list.
+Defaults to @samp{#t}.
+@end deftypevr
+
@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
Require a valid SSL client certificate or the authentication
fails.
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index afe1bb6016..cd3f961094 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
;;; Copyright © 2023 Thomas Ieong <th.ieong <at> free.fr>
;;; Copyright © 2023 Saku Laesvuori <saku <at> laesvuori.fi>
+;;; Copyright © 2024 Herman Rimm <herman <at> rimm.ee>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1261,9 +1262,15 @@ (define-configuration dovecot-configuration
intend to use @samp{ssl-verify-client-cert? #t}. The file should
contain the CA certificate(s) followed by the matching
CRL(s). (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).")
+
+ (ssl-prefer-server-ciphers?
+ (boolean #t)
+ "Prefer the server’s cipher list over a client’s cipher list.")
+
(ssl-require-crl?
(boolean #t)
"Require that CRL check succeeds for client certificates.")
+
(ssl-verify-client-cert?
(boolean #f)
"Request client to send a certificate. If you also want to require
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#69858; Package
guix-patches.
(Sun, 17 Mar 2024 15:41:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 69858 <at> debbugs.gnu.org (full text, mbox):
* gnu/services/mail.scm (dovecot-configuration): Set 'ssl-min-protocol'
to "TLSv1.2".
Change-Id: I0d317a54d46523229fcd475eb6ae2239fd0726e9
---
gnu/services/mail.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index cd3f961094..f500a62664 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1283,7 +1283,7 @@ (define-configuration dovecot-configuration
@samp{auth-ssl-username-from-cert? #t}.")
(ssl-min-protocol
- (string "TLSv1")
+ (string "TLSv1.2")
"Minimum SSL protocol version to accept.")
(ssl-cipher-list
--
2.41.0
This bug report was last modified 48 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.