RE: [exim] exim 4.43 and GnuTLS: How to control cipher negot…

Top Page
Delete this message
Reply to this message
Author: Jan-Peter Koopmann
Date:  
To: exim-users
CC: Richard Welty
Subject: RE: [exim] exim 4.43 and GnuTLS: How to control cipher negotiation?
>> because RC4 has been cracked? If you choose to allow AES128/3DES
>> only that is your decision to make.
>
> Not quite. You can configure Exim to insist on encryption.


That's what I meant. If he chooses to communicate with AES128/3DES only, then he can teach Exim to insist on encryption.

>> We are talking about the default ciphers here and to teach the
>> components to favour AES128/3DES over ARCFOUR. I see no harm in that.
>
> I think there is some harm. But there is harm both ways. Hmm.


I am missing something here obviously. The original question was how to set the defaults in the code.

Current order:
static int default_cipher_priority[16] = {
  GNUTLS_CIPHER_ARCFOUR_128,
  GNUTLS_CIPHER_AES_128_CBC,
  GNUTLS_CIPHER_3DES_CBC,
  GNUTLS_CIPHER_ARCFOUR_40,
  0 };                  


Proposed order by Marc and me:
static int default_cipher_priority[16] = {
  GNUTLS_CIPHER_AES_128_CBC,
  GNUTLS_CIPHER_3DES_CBC,
  GNUTLS_CIPHER_ARCFOUR_128,
  GNUTLS_CIPHER_ARCFOUR_40,
  0 };                  


Proposed order by Richard:
static int default_cipher_priority[16] = {
  GNUTLS_CIPHER_AES_128_CBC,
  GNUTLS_CIPHER_3DES_CBC,
  GNUTLS_CIPHER_ARCFOUR_128,
  0 };                  


In case one of the sides only supports RC4, Richards version would either fallback to no encryption or would not allow any communication at all depending on the exim config. Marcs proposal would fallback to RC4 40bit. So in the default config (which is TLS is "nice to have") one solution will result in no encryption and the other in RC4. Even though RC4 is everything but strong encryption, it is a lot better than no encryption at all, isn't it?

Kind regards,
JP