Guys,
I'm setting up a cluster of servers for the PCI DSS and I've only got one vulnerability left - which is that SSL/TLS supports weak authentication in exim. (I managed to set SSLv2 to disabled on exim with the following line:)
tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES
Unfortunately, this does not set the authentication method to only suport HIGH Levels of encryption (128bit or above).
I can't find any information about where this should be set.. and i know this line works as it manages to disable SSLv2. I've checked section 38 of the manual (and 38.4 specifically as I'm using openssl).
One of the solutions may be to specify the particular encryption methods on this line - but does anyone know a way of implementing the HIGH:MEDIUM:LOW setting in a similar way to the following (from proftpd).
TLSCipherSuite HIGH:MEDIUM:!ADH:!SSLv2
Regards,
Andy Loughran