[exim] Re: exim 4.43 and GnuTLS: How to control cipher negot…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: [exim] Re: exim 4.43 and GnuTLS: How to control cipher negotiation?
Philip Hazel <ph10@???> wrote:
[...]
> Does it make sense to change the default order? What would you suggest?
> The relevant code shows the current order:


> static int default_cipher_priority[16] = {
>  GNUTLS_CIPHER_ARCFOUR_128,
>  GNUTLS_CIPHER_AES_128_CBC,  
>  GNUTLS_CIPHER_3DES_CBC,
>  GNUTLS_CIPHER_ARCFOUR_40,
>  0 };                  


I'd appreciate if you could tell us which new ordering you have chosen
once that has happened, as I'd like to replicate the change in Debian's
exim packages rather sooner than later.

BTW quoting lib/gnutls_priority.c from gnutls 1.0.16:

/**
* gnutls_set_default_priority - Sets some default priority on the cipher suite
s supported by gnutls.
* @session: is a &gnutls_session structure.
*
* Sets some default priority on the ciphers, key exchange methods, macs
* and compression methods. This is to avoid using the gnutls_*_priority() functions, if
* these defaults are ok. You may override any of the following priorities by calling
* the appropriate functions.
*
* The order is TLS1, SSL3 for protocols.
* RSA, DHE_DSS, DHE_RSA for key exchange
* algorithms. SHA, MD5 and RIPEMD160 for MAC algorithms.
* AES_256_CBC, AES_128_CBC, 3DES_CBC,
* and ARCFOUR_128 for ciphers.

Just as another datapoint. Afaict from NEWS
gnutls_set_default_priority() was addedd in 0.5.9.
            thanks, cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"