* [bug#69858] [PATCH 1/2] services: dovecot: Prefer server ciphers by default.
@ 2024-03-17 15:34 Herman Rimm via Guix-patches via
2024-03-17 15:38 ` [bug#69858] [PATCH 2/2] services: dovecot: Bump minimum supported SSL protocol Herman Rimm via Guix-patches via
0 siblings, 1 reply; 2+ messages in thread
From: Herman Rimm via Guix-patches via @ 2024-03-17 15:34 UTC (permalink / raw)
To: 69858; +Cc: Herman Rimm
* gnu/services/mail.scm (dovecot-configuration): Add
'ssl-prefer-server-ciphers?' field.
* doc/guix.texi (Mail Services)[Dovecot Service]: Describe field.
Change-Id: I1ea7c53466ebc3b01082938b5d9dee47c683017d
---
doc/guix.texi | 5 +++++
gnu/services/mail.scm | 7 +++++++
2 files changed, 12 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index eca1cb3712..b58ed90b2f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26989,6 +26989,11 @@ Time to delay before replying to failed authentications.
Defaults to @samp{"2 secs"}.
@end deftypevr
+@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-prefer-server-ciphers?
+Prefer a server's allowed cipher list over own cipher list.
+Defaults to @samp{#t}.
+@end deftypevr
+
@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
Require a valid SSL client certificate or the authentication
fails.
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index afe1bb6016..cd3f961094 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de>
;;; Copyright © 2023 Thomas Ieong <th.ieong@free.fr>
;;; Copyright © 2023 Saku Laesvuori <saku@laesvuori.fi>
+;;; Copyright © 2024 Herman Rimm <herman@rimm.ee>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1261,9 +1262,15 @@ (define-configuration dovecot-configuration
intend to use @samp{ssl-verify-client-cert? #t}. The file should
contain the CA certificate(s) followed by the matching
CRL(s). (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).")
+
+ (ssl-prefer-server-ciphers?
+ (boolean #t)
+ "Prefer the server’s cipher list over a client’s cipher list.")
+
(ssl-require-crl?
(boolean #t)
"Require that CRL check succeeds for client certificates.")
+
(ssl-verify-client-cert?
(boolean #f)
"Request client to send a certificate. If you also want to require
--
2.41.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [bug#69858] [PATCH 2/2] services: dovecot: Bump minimum supported SSL protocol.
2024-03-17 15:34 [bug#69858] [PATCH 1/2] services: dovecot: Prefer server ciphers by default Herman Rimm via Guix-patches via
@ 2024-03-17 15:38 ` Herman Rimm via Guix-patches via
0 siblings, 0 replies; 2+ messages in thread
From: Herman Rimm via Guix-patches via @ 2024-03-17 15:38 UTC (permalink / raw)
To: 69858; +Cc: Herman Rimm
* gnu/services/mail.scm (dovecot-configuration): Set 'ssl-min-protocol'
to "TLSv1.2".
Change-Id: I0d317a54d46523229fcd475eb6ae2239fd0726e9
---
gnu/services/mail.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index cd3f961094..f500a62664 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1283,7 +1283,7 @@ (define-configuration dovecot-configuration
@samp{auth-ssl-username-from-cert? #t}.")
(ssl-min-protocol
- (string "TLSv1")
+ (string "TLSv1.2")
"Minimum SSL protocol version to accept.")
(ssl-cipher-list
--
2.41.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-03-17 15:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-17 15:34 [bug#69858] [PATCH 1/2] services: dovecot: Prefer server ciphers by default Herman Rimm via Guix-patches via
2024-03-17 15:38 ` [bug#69858] [PATCH 2/2] services: dovecot: Bump minimum supported SSL protocol Herman Rimm via Guix-patches via
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).