Phil,
Thanks for your response.
I'm just running a PCI penetration test now which will let me know if it's worked.
I'll post back when I know the results. Weirdly though, my example appeared to work yesterday.. and I printed off a report showing no errors - yet today when I've come to view the same report - the error is back in it.
Nice :)
On Tue, 27 Nov 2007 15:57:02 -0800, Phil Pennock <exim-users@???> wrote:
> On 2007-11-26 at 15:27 +0000, andylockran wrote:
>> I'm setting up a cluster of servers for the PCI DSS and I've only got
> one vulnerability left - which is that SSL/TLS supports weak authentication
> in exim. (I managed to set SSLv2 to disabled on exim with the following
> line:)
>>
>> tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES
>>
>> Unfortunately, this does not set the authentication method to only
> suport HIGH Levels of encryption (128bit or above).
>>
>> I can't find any information about where this should be set.. and i know
> this line works as it manages to disable SSLv2. I've checked section 38 of
> the manual (and 38.4 specifically as I'm using openssl).
>>
>> One of the solutions may be to specify the particular encryption methods
> on this line - but does anyone know a way of implementing the
> HIGH:MEDIUM:LOW setting in a similar way to the following (from proftpd).
>>
>> TLSCipherSuite HIGH:MEDIUM:!ADH:!SSLv2
>
> It's left-to-right, IIRC, and so adding SSLv3 later overrode the
> !MEDIUM.
>
> I use (but I'm not a cryptographer):
> tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!NULL:!DES:@STRENGTH
>
> Turn them all on, disable LOW, the EXPORT restricted ones, Anonymous DH,
> the NULL, the plain DES and then sort the remainer in strength order, so
> that the strongest one is preferred.
>
> Provided that your OS installs the OpenSSL man-pages, ciphers(1) should
> list the options available. Otherwise the current doc (as opposed to
> docs for your installed version) is at:
> http://www.openssl.org/docs/apps/ciphers.html
>
> Oh, cool, NULL is not included in ALL so my !NULL is sheer paranoia.
> I'll leave it there. :^)
>
> -Phil