Re: [exim-dev] 4.82 RC1 GnuTLS testing error

Top Page
Delete this message
Reply to this message
Author: Dr Andrew C Aitchison
Date:  
To: Todd Lyons
CC: exim-dev
Subject: Re: [exim-dev] 4.82 RC1 GnuTLS testing error
On Tue, 1 Oct 2013, Todd Lyons wrote:

> On Tue, Oct 1, 2013 at 12:38 AM, Dr Andrew C Aitchison
> <A.C.Aitchison@???> wrote:
>> I for one *do* set tls_require_ciphers (though I currently use OpenSSL
>> not GnuTLS) - I dropped RC4 a couple of weeks ago after using
>> it for a couple of months to protect against the BEAST.
>
> I can see protecting against BEAST on the web where a session cookie
> is passed on every transaction. What utility does protecting against
> BEAST provide in an SMTP or SMTP Auth session? Help me think out of
> the box because I'm not seeing the usefulness.


At the time I couldn't get enough information to be sure that the
BEAST didn't apply to SMTP, so added RC4 ciphers to protect against it.
Now that nessus and ssl-labs think RC4 is a bigger problem
I'm prepared to trust that the BEAST isn't an issue with SMTP.

My starting point is that http ssl/tls vunerabilities should be
defended against in smtp/imap/ssh unless I can convince myself that
the vunerability doesn't apply.

-- 
Dr. Andrew C. Aitchison        Computer Officer, DPMMS, Cambridge
A.C.Aitchison@???    http://www.dpmms.cam.ac.uk/~werdna