Re: [exim] exim 4.43 and GnuTLS: How to control cipher negot…

Top Page
Delete this message
Reply to this message
Author: Marc Haber
Date:  
To: exim-users
Subject: Re: [exim] exim 4.43 and GnuTLS: How to control cipher negotiation?
On Mon, 29 Nov 2004 10:15:47 +0000 (GMT), Philip Hazel
<ph10@???> wrote:
>I have no idea why the person who submitted the GnuTLS code chose that
>particular set of ciphers and that particular order. However, the
>tls_require_ciphers option allows you to modify or replace this list.


OK. I missed the last sentence of chapter 37.2 in the spec. Thanks for
pointing me into that direction.

However, the option doesn't seem to work as advertised:

|[1/499]mh@q:~/tmp$ exim -bP tls_require_ciphers
|tls_require_ciphers = AES : 3DES : ARCFOUR
|[2/500]mh@q:~/tmp$ echo "From: <mh@???>\n\ntestmail" | /usr/sbin/exim4 mh+testmail@???
|Exim version 4.43 uid=0 gid=0 pid=5132 D=fbb95cfd
<snip>
|213.240.137.97 in hosts_avoid_tls? no (option unset)
| SMTP>> STARTTLS

|waiting for data on socket
|read response data: size=18
| SMTP<< 220 TLS go ahead

|initializing GnuTLS as a client
|read RSA and D-H parameters from file
|initialized RSA and D-H parameters
|no TLS client certificate is specified
|initialized certificate stuff
|initialized GnuTLS session
|cipher: TLS-1.0:RSA_ARCFOUR_SHA:16
| SMTP>> EHLO q.bofh.de

|tls_do_write(bfffcb7c, 16)
|gnutls_record_send(SSL, bfffcb7c, 16)

The receiving host is running the same exim 4.43 binary with a very
similiar configuration, but is missing the tls_require_cipher option.
Why is ARCFOUR still the chosen cipher?

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834