Re: [exim] TLS Authentication Strength

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhil Pennock at <-
M 
Delete this message
Reply to this message
Author: andylockran
Date:  
To: exim-users
Subject: Re: [exim] TLS Authentication Strength
Phil,

Thanks for your response.

I'm just running a PCI penetration test now which will let me know if it's worked.

I'll post back when I know the results. Weirdly though, my example appeared to work yesterday.. and I printed off a report showing no errors - yet today when I've come to view the same report - the error is back in it.

Nice :)

On Tue, 27 Nov 2007 15:57:02 -0800, Phil Pennock <exim-users@???> wrote:
> On 2007-11-26 at 15:27 +0000, andylockran wrote:
>> I'm setting up a cluster of servers for the PCI DSS and I've only got
> one vulnerability left - which is that SSL/TLS supports weak authentication
> in exim. (I managed to set SSLv2 to disabled on exim with the following
> line:)
>>
>> tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES
>>
>> Unfortunately, this does not set the authentication method to only
> suport HIGH Levels of encryption (128bit or above).
>>
>> I can't find any information about where this should be set.. and i know
> this line works as it manages to disable SSLv2. I've checked section 38 of
> the manual (and 38.4 specifically as I'm using openssl).
>>
>> One of the solutions may be to specify the particular encryption methods
> on this line - but does anyone know a way of implementing the
> HIGH:MEDIUM:LOW setting in a similar way to the following (from proftpd).
>>
>> TLSCipherSuite                  HIGH:MEDIUM:!ADH:!SSLv2

>
> It's left-to-right, IIRC, and so adding SSLv3 later overrode the
> !MEDIUM.
>
> I use (but I'm not a cryptographer):
> tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!NULL:!DES:@STRENGTH
>
> Turn them all on, disable LOW, the EXPORT restricted ones, Anonymous DH,
> the NULL, the plain DES and then sort the remainer in strength order, so
> that the strongest one is preferred.
>
> Provided that your OS installs the OpenSSL man-pages, ciphers(1) should
> list the options available. Otherwise the current doc (as opposed to
> docs for your installed version) is at:
> http://www.openssl.org/docs/apps/ciphers.html
>
> Oh, cool, NULL is not included in ALL so my !NULL is sheer paranoia.
> I'll leave it there. :^)
>
> -Phil


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Callout cache life[exim] need confirmation: exim4 + ldaps + ads fails (ok with ldap)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)