On Fri, 5 Oct 2001, Richard Welty wrote:
> how does exim handle negotiation of a cipher for smtp over tls?
It doesn't. It lets the OpenSSL library handle that. There is a call it
can use that tells OpenSSL a list of permitted ciphers. Exim 3 uses this
if you set the "verify_ciphers" option; the TLS setup fails if an
acceptable cipher can't be found. Exim 4 does not use this option; it
allows you to test the cipher later (gives more flexibility).
> i'm seeing that two exim boxes, both mine, both with
> tls_verify_ciphers defaulting to unset, are negotiating DES/SHA1 as
> the cipher suite. is there a reason why they're not going to 3DES?
If tls_verify_ciphers is unset, it's all up to the OpenSSL library.
I'm afraid I don't understand the internals.
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
