Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?
On Mon, Oct 07, 2013 at 05:25:19PM +0000, Viktor Dukhovni wrote:

> This is a mistake. You probably meant:
>
>     kEDH+HIGH:!eNULL:!aNULL:!MD5:@STRENGTH

>
> which is the properly sorted intersection of kEDH and HIGH, instead
> you're getting the union of kEDH and HIGH without sensible sorting,
> which include for example:


Comment, of course with "kEDH+HIGH" as the only inclusion component
of the cipherlist, there is strictly speaking no need for the
"!eNULL" part. This said, it is a cheap safety feature. For
example, with "kEECDH:HIGH" the !eNULL constraint is actually
needed. And when using multiple inclusion components, don't forget
"@STRENGTH" which, in addition to sorting the verious strength
ciphers properly, would have the effect of putting the NULL ciphers
last.

-- 
    Viktor.