Dear All,
I have been going round and round in circles trying to do this :-{. I have tried lots of different incantations using tls_require_ciphers but without success.
My exim which came ready built in an RPM is linked with OpenSSL rather than GnuTLS. I am using 'nmap --script ssl-enum-ciphers -p 465' to see what ciphers are offered.
Without a tls_require_ciphers statement I get the following protocols offered; SSLv3, TLSv1.0, TLSv1.1, TLSv1.2; each with at least 13 ciphers included. Ideally I would
like to just eliminate all the SSLv3 ones. The closest I have been able to come to doing this is to get only TLSv1.2 protocol with the following four ciphers
(TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only). External relay machines
delivering mail (eg. Microsoft's FOPE servers) do not find an acceptable choice amongst these.
I am at a loss to know why 'tls_require_ciphers = All:!SSLv2:!SSLv3' does not do what I want. It just results in no ciphers being offered.
Below is the full list of every combination I tried in /etc/exim.conf, together with an appended one line summary of what resulting ciphers were offered as available.
I would like to get the system secured against SSLv3 ASAP. Please help!
System details:
OS: SLC6 (derivative of RHEL6).
Arch: X86_64
Thanks
Tom Crane
tls_on_connect_ports = 465
# TLS settings
tls_advertise_hosts = *
tls_certificate = /etc/exim/certs/smtp.pem
tls_privatekey = /etc/exim/certs/smtp.key
#gnutls_require_protocols = !SSLv2:!SSLv3:TLSv1
#tls_require_ciphers = All:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = TLSv1 -- Ciphers available: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2
#tls_require_ciphers = !SSLv2:!SSLv3:TLSv1 -- Ciphers available: None
#tls_require_ciphers = TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = TLSv1+HIGH:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = TLSv1:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = TLSv1:!SSLv2 -- Ciphers available: None
#No tls_require_ciphers statement -- Ciphers available: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2
#tls_require_ciphers = HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: TLSv1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only)
#tls_require_ciphers = All:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = ALL:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = HIGH:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: TLSv1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only)
#tls_require_ciphers = MEDIUM:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = LOW:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = :+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = +TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = HIGH:MEDIUM:+TLSv1.1:!SSLv2:!SSLv3 -- Ciphers available: TLSv1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only)
#tls_require_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:+TLSv1:!SSLv2:!SSLv3 Ciphers available: TLSv1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only)
#tls_require_ciphers = TLS_RSA_WITH_AES_128_CBC_SHA256:+TLSv1:!SSLv2:!SSLv3 -- Ciphers available: None
#tls_require_ciphers = TLSv1+HIGH -- Ciphers available: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 (reduced set of ciphers in each protocol)
#tls_require_ciphers = +TLSv1:!SSLv2:!SSLv3:+TLSv1 -- Ciphers available: None
#tls_require_ciphers = HIGH:MEDIUM:+TLSv1.2:!SSLv2:!SSLv3 -- Ciphers available: TLSv1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only)
#tls_require_ciphers = NORMAL:-VERS+TLSv1 -- Ciphers available: None
#tls_require_ciphers = NORMAL:+TLSv1 -- Ciphers available: None
#tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP -- Ciphers available: TLSv1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only)
--
Tom Crane, Dept. Physics, Royal Holloway, University of London, Egham Hill,
Egham, Surrey, TW20 0EX, England.
Email: T.Crane@???
Fax: +44 (0) 1784 472794
