On Tue, 30 Nov 2004 10:15:29 +0000 (GMT), Philip Hazel
<ph10@???> wrote:
>On Mon, 29 Nov 2004, Marc Haber wrote:
>> |[1/499]mh@q:~/tmp$ exim -bP tls_require_ciphers
>> |tls_require_ciphers = AES : 3DES : ARCFOUR
>> |[2/500]mh@q:~/tmp$ echo "From: <mh@???>\n\ntestmail" | /usr/sbin/exim4 mh+testmail@???
>> |Exim version 4.43 uid=0 gid=0 pid=5132 D=fbb95cfd
>> <snip>
>
><snip>
>
>> |cipher: TLS-1.0:RSA_ARCFOUR_SHA:16
>
><snip>
>
>> The receiving host is running the same exim 4.43 binary with a very
>> similiar configuration, but is missing the tls_require_cipher option.
>> Why is ARCFOUR still the chosen cipher?
>
>That I do not know, because I do not know how the client and server
>negotiate these things. I am a complete novice at this TLS stuff. One
>might suppose that the server's preferences take precedence, but I'm
>guessing here.
When using gnutls-cli, a better cipher is negotiated. Who contributed
the GnuTLS Interface?
> Have you tried
>
>tls_require_ciphers = AES : 3DES
>
>? That is, tried preventing it from using ARCFOUR at all?
Not yet. That configuration option would disable encryption completely
with a communications partner that is only capable of doing ARCFOUR,
which is a bad thing.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834