------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674
--- Comment #11 from Martin Kaiser <eximBugzilla@???> 2008-08-14 21:02:12 ---
(In reply to comment #9)
Hi Phil,
nice to see that there's been some activity about this bug lately ;-)
> Created an attachment (id=261)
--> (
http://bugs.exim.org/attachment.cgi?id=261) [details]
> New global option, openssl_load_all
>
> I think this is a reasonable compromise and sensible way forward for now,
> without undermining the whole point of the exercise.
>
> A new option, available when SUPPORT_TLS defined, "openssl_load_all". It's a
> boolean, default false. It is a fatal error to set this true without also
> defining "tls_require_ciphers".
>
> The theory being that anyone who knows to load all algorithms knows enough to
> make their own educated decision about a cipher policy but that loading all
> algorithms has the risk of adding new dangerous ciphers that should not be
> present and would be a security step backwards. This avoids Exim needing to
> push a cipher which can become stale and puts Exim only in the position of
> having some mild protection against accidental shooting of self in foot.
>
> I was able to use Martin's sha256 stuff successfully with this patch.
>
no doubt that this is going to do the trick. However, I think this is quite
complicated for an admin. Thinking about the issue again, my preferred solution
would be to just add SHA256 by a call to EVP_AddDigest(). This way, we're not
accidentially enabling weak ciphers and there's no additional complexity for
the exim administrator. I would assume that X.509 certificates with
sha256-based signature (or more exactly pkcs1 1.5 signature using sha256) will
become more and more common.
Best regards,
Martin
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
