A while back I wrote to the list asking about how by specify the SSL/TLS cipher algorithms that cyrus imapd should accept (by analogy with the SSLCipherSuite directive from Apache's mod_ssl). I didn't receive a reply (which is fine) so now I want to verify: is it true that there is no way to specify which cipher algorithms cyrus imapd should accept?
I think this should be considered a rather large security hole. I believe OpenSSL will even negotiate down to the NULL cipher (i.e. no encryption) if a client claims that is all it will accept.
