Re: [exim] Re: exim 4.43 and GnuTLS: How to control cipher n…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Philip Hazel
Dátum:  
Címzett: Andreas Metzler
CC: exim-users
Tárgy: Re: [exim] Re: exim 4.43 and GnuTLS: How to control cipher negotiation?
On Tue, 7 Dec 2004, Andreas Metzler wrote:

> Philip Hazel <ph10@???> wrote:
> [...]
> > Does it make sense to change the default order? What would you suggest?
> > The relevant code shows the current order:
>
> > static int default_cipher_priority[16] = {
> >  GNUTLS_CIPHER_ARCFOUR_128,
> >  GNUTLS_CIPHER_AES_128_CBC,  
> >  GNUTLS_CIPHER_3DES_CBC,
> >  GNUTLS_CIPHER_ARCFOUR_40,
> >  0 };                  

>
> I'd appreciate if you could tell us which new ordering you have chosen
> once that has happened, as I'd like to replicate the change in Debian's
> exim packages rather sooner than later.


The consensus seems to be AES128, 3DES, ARCFOUR128, ARCFOUR40. There is
some debate about having ARCFOUR40 there at all, and I am wavering...

> * AES_256_CBC, AES_128_CBC, 3DES_CBC,
> * and ARCFOUR_128 for ciphers.
>
> Just as another datapoint.


That would suggest dropping ARCFOUR40 and adding AES256 at the start.
OK, that's what I'll think about doing.

> Afaict from NEWS
> gnutls_set_default_priority() was addedd in 0.5.9.


Exim uses gnutls_cipher_set_priority(). I guess that code predates the
new function. Or maybe it's something different. Sorry, I'm just not an
expert in this stuff.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book