On 2007-11-26 at 15:27 +0000, andylockran wrote:
> I'm setting up a cluster of servers for the PCI DSS and I've only got one vulnerability left - which is that SSL/TLS supports weak authentication in exim. (I managed to set SSLv2 to disabled on exim with the following line:)
>
> tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES
>
> Unfortunately, this does not set the authentication method to only suport HIGH Levels of encryption (128bit or above).
>
> I can't find any information about where this should be set.. and i know this line works as it manages to disable SSLv2. I've checked section 38 of the manual (and 38.4 specifically as I'm using openssl).
>
> One of the solutions may be to specify the particular encryption methods on this line - but does anyone know a way of implementing the HIGH:MEDIUM:LOW setting in a similar way to the following (from proftpd).
>
> TLSCipherSuite HIGH:MEDIUM:!ADH:!SSLv2
It's left-to-right, IIRC, and so adding SSLv3 later overrode the
!MEDIUM.
I use (but I'm not a cryptographer):
tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!NULL:!DES:@STRENGTH
Turn them all on, disable LOW, the EXPORT restricted ones, Anonymous DH,
the NULL, the plain DES and then sort the remainer in strength order, so
that the strongest one is preferred.
Provided that your OS installs the OpenSSL man-pages, ciphers(1) should
list the options available. Otherwise the current doc (as opposed to
docs for your installed version) is at:
http://www.openssl.org/docs/apps/ciphers.html
Oh, cool, NULL is not included in ALL so my !NULL is sheer paranoia.
I'll leave it there. :^)
-Phil
