aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

dovecot: restore compat for RSA key material

Browse Source 
In TLS1.2 available cipher suites depend on the available key material,
so the last round of cipher suites updates broke TLS1.2 support with RSA
key pairs.

The NixOS ACME module has been defaulting to EC256 (and earlier EC384)
key material, so I assume this did not affect many setups in practice.
This commit is contained in:
Martin Weinelt
2026-03-18 14:06:10 +01:00
parent 7dfcb21d35
commit 3da442701a
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mail-server/dovecot.nix
+5
View File
@@ -382,9 +382,14 @@ in
"TLS_CHACHA20_POLY1305_SHA256" "TLS_CHACHA20_POLY1305_SHA256"
"TLS_AES_256_GCM_SHA384" "TLS_AES_256_GCM_SHA384"
# TLS1.2 # TLS1.2
# EC key material
"ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-ECDSA-AES256-GCM-SHA384"
# RSA key material
"ECDHE-RSA-AES128-GCM-SHA256"
"ECDHE-RSA-CHACHA20-POLY1305"
"ECDHE-RSA-AES256-GCM-SHA384"
] ]
} }
ssl_curve_list = X25519MLKEM768:X25519:prime256v1:secp384r1 ssl_curve_list = X25519MLKEM768:X25519:prime256v1:secp384r1