On 2014-10-16 at 17:49 +0100, TPCexim@??? wrote:
> I have been going round and round in circles trying to do this :-{. I have tried lots of different incantations using tls_require_ciphers but without success.
> My exim which came ready built in an RPM is linked with OpenSSL rather than GnuTLS. I am using 'nmap --script ssl-enum-ciphers -p 465' to see what ciphers are offered.
The instructions are in:
https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html
Note: you are using OpenSSL, so the `openssl_options` Exim option is the
one which you need to set. OpenSSL does not permit using a cipherspec
to tune broader options. The `tls_require_ciphers` option can only take
the values described in `man ciphers`.
> I am at a loss to know why 'tls_require_ciphers = All:!SSLv2:!SSLv3' does not do what I want. It just results in no ciphers being offered.
Because it's `ALL` not `All`; whatever value you pass here, is expanded
in the same way as the `openssl ciphers` command; thus:
----------------------------8< cut here >8------------------------------
% openssl ciphers 'All:!SSLv2:!SSLv3'
Error in cipher list
34381432488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:
% openssl ciphers 'ALL:!SSLv2:!SSLv3'
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256
----------------------------8< cut here >8------------------------------
This just controls which ciphers are available, not the protocol
negotiation, so you still want to use `openssl_options`.
-Phil