On Fri, 5 Oct 2001, Richard Welty wrote:
> how does exim handle negotiation of a cipher for smtp over tls?
It doesn't. It lets the OpenSSL library handle that. There is a call it
can use that tells OpenSSL a list of permitted ciphers. Exim 3 uses this
if you set the "verify_ciphers" option; the TLS setup fails if an
acceptable cipher can't be found. Exim 4 does not use this option; it
allows you to test the cipher later (gives more flexibility).
> i'm seeing that two exim boxes, both mine, both with
> tls_verify_ciphers defaulting to unset, are negotiating DES/SHA1 as
> the cipher suite. is there a reason why they're not going to 3DES?
If tls_verify_ciphers is unset, it's all up to the OpenSSL library.
I'm afraid I don't understand the internals.
Anyone know which cipher would perform the best for a mail application?
The openssl-0.9.6-9 supports the following ciphers.
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DES-CBC3-MD5
DHE-DSS-RC4-SHA
RC4-SHA
RC4-MD5
RC2-CBC-MD5
RC4-MD5
RC4-64-MD5
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC4-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
DES-CBC-MD5
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5
------------------------------------------------
Karl Schmidt (ks150) EMail Karl@???
Transtronics, Inc. WEB http://xtronics.com
3209 West 9th Street Ph(785) 841-3089
Lawrence, KS 66049 FAX(785) 841-0434
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##