On Mon, 29 Nov 2004 10:15:47 +0000 (GMT), Philip Hazel
<ph10@???> wrote:
>I have no idea why the person who submitted the GnuTLS code chose that
>particular set of ciphers and that particular order. However, the
>tls_require_ciphers option allows you to modify or replace this list.
OK. I missed the last sentence of chapter 37.2 in the spec. Thanks for
pointing me into that direction.
However, the option doesn't seem to work as advertised:
|[1/499]mh@q:~/tmp$ exim -bP tls_require_ciphers
|tls_require_ciphers = AES : 3DES : ARCFOUR
|[2/500]mh@q:~/tmp$ echo "From: <mh@???>\n\ntestmail" | /usr/sbin/exim4 mh+testmail@???
|Exim version 4.43 uid=0 gid=0 pid=5132 D=fbb95cfd
<snip>
|213.240.137.97 in hosts_avoid_tls? no (option unset)
| SMTP>> STARTTLS
|waiting for data on socket
|read response data: size=18
| SMTP<< 220 TLS go ahead
|initializing GnuTLS as a client
|read RSA and D-H parameters from file
|initialized RSA and D-H parameters
|no TLS client certificate is specified
|initialized certificate stuff
|initialized GnuTLS session
|cipher: TLS-1.0:RSA_ARCFOUR_SHA:16
| SMTP>> EHLO q.bofh.de
|tls_do_write(bfffcb7c, 16)
|gnutls_record_send(SSL, bfffcb7c, 16)
The receiving host is running the same exim 4.43 binary with a very
similiar configuration, but is missing the tls_require_cipher option.
Why is ARCFOUR still the chosen cipher?
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
