[exim] Re: exim 4.43 and GnuTLS: How to control cipher negot…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: [exim] Re: exim 4.43 and GnuTLS: How to control cipher negotiation?
On 2004-12-07 Philip Hazel <ph10@???> wrote:
> On Tue, 7 Dec 2004, Andreas Metzler wrote:

[...]
> > I'd appreciate if you could tell us which new ordering you have chosen
> > once that has happened, as I'd like to replicate the change in Debian's
> > exim packages rather sooner than later.


> The consensus seems to be AES128, 3DES, ARCFOUR128, ARCFOUR40. There is
> some debate about having ARCFOUR40 there at all, and I am wavering...


> > * AES_256_CBC, AES_128_CBC, 3DES_CBC,
> > * and ARCFOUR_128 for ciphers.
>
> > Just as another datapoint.


> That would suggest dropping ARCFOUR40 and adding AES256 at the start.
> OK, that's what I'll think about doing.


ok, thanks.

> > Afaict from NEWS
> > gnutls_set_default_priority() was addedd in 0.5.9.


> Exim uses gnutls_cipher_set_priority(). I guess that code predates the
> new function.


I think so, too.

> Or maybe it's something different. Sorry, I'm just not an
> expert in this stuff.


Afaiui gnutls_cipher_set_priority() is for chosing a custom ordering
and gnutls_set_default_priority() is for "The gnutls guys should know
better which ordering is the best one, let them decide." The manual
seems to support this
http://www.gnu.org/software/gnutls/manual/gnutls/gnutls.html#SECTION0010153000000000000000
http://www.gnu.org/software/gnutls/manual/gnutls/gnutls.html#SECTION00101138000000000000000
              cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"