[exim] TLSv1.1, TLSv1.2

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Lena
Date:  
À: exim-users
Sujet: [exim] TLSv1.1, TLSv1.2
After upgrade to openssl 1.0.1, my Perl script using Crypt::SSLeay
was unable to connect as a client to a web server (https),
I had to downgrade openssl to 1.0.0h on that machine (it runs Exim too).

Is the following (from Postfix 2.9.2 release notes) relevant to Exim?
If yes, should we specify
tls_require_ciphers main configuration option (Exim as server) or
tls_require_ciphers smtp transport option (Exim as client)?

-----

| This release adds support to turn off the TLSv1.1 and TLSv1.2
| protocols. Introduced with OpenSSL version 1.0.1, these are known
| to cause inter-operability problems with for example hotmail.

|
| The radical workaround is to temporarily turn off problematic
| protocols globally:

|
| /etc/postfix/main.cf:
|     smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
|     smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

|
|     smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
|     smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

|
| However, it may be better to temporarily turn off problematic
| protocols for broken sites only:

|
| /etc/postfix/main.cf:
|     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

|
| /etc/postfix/tls_policy:
|     example.com         may protocols=!SSLv2:!TLSv1.1:!TLSv1.2