Re: [exim] some OpenSSL topics

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-users
Subject: Re: [exim] some OpenSSL topics
Viktor Dukhovni wrote, on 15.10.2013 17:05:
> This cipher list is clearly the result of an incomplete understanding
> of the OpenSSL cipherlist syntax. And yet you're not a novice
> user. Hence my contention that the OpenSSL cipher syntax is for
> OpenSSL experts only, applications should not expose it directly
> to users.


Thanks for your detailed explanation! I already recognized the NULL ciphers I
indeed didn't want to include. I searched for the correct pedant of kEDH for
EC, but didn't find anything useful.

Even
http://www.openssl.org/docs/apps/ciphers.html
does not list "kEECDH"! I think I tried kECDH, kECDHE without success. Then I
found ECDH adding the ciphers I wanted and some others I didn't care about
(enough;-) ).

So, my cipherlist is a result of incomplete documentation as well ...
resulting in incomplete understanding.

> [ Postfix has cipher grades (null, export, low, medium, high), users
> choose one of these, and leave the underlying cipherlists alone! ]


Sure. I wont touch cipher strings if the defaults are reasonable. But the
results of sites like ssllabs.com testing my webservers suggest the opposite.

And eg. apache mod_ssl also documents the cipher details.

But thanks a lot for your warnings and explanations!

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria