Re: [exim] Problem disabling SSLv3 ciphers on Exim 4.72 to d…

Góra strony
Delete this message
Reply to this message
Autor: TPCexim
Data:  
Dla: exim-users
CC: TPCexim
Temat: Re: [exim] Problem disabling SSLv3 ciphers on Exim 4.72 to deal with Poodle vunerability (CVE-2014-3566)
>
> On 2014-10-16 at 17:49 +0100, TPCexim@??? wrote:
> >     I have been going round and round in circles trying to do this :-{. I have tried lots of different incantations using tls_require_ciphers but without success.  
> > My exim which came ready built in an RPM is linked with OpenSSL rather than GnuTLS. I am using 'nmap --script ssl-enum-ciphers -p 465' to see what ciphers are offered.

>
> The instructions are in:
>
> https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html
>
> Note: you are using OpenSSL, so the `openssl_options` Exim option is the
> one which you need to set. OpenSSL does not permit using a cipherspec
> to tune broader options. The `tls_require_ciphers` option can only take
> the values described in `man ciphers`.
>
> > I am at a loss to know why 'tls_require_ciphers = All:!SSLv2:!SSLv3' does not do what I want. It just results in no ciphers being offered.
>
> Because it's `ALL` not `All`; whatever value you pass here, is expanded
> in the same way as the `openssl ciphers` command; thus:
>
> ----------------------------8< cut here >8------------------------------
> % openssl ciphers 'All:!SSLv2:!SSLv3'
> Error in cipher list
> 34381432488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:
>
> % openssl ciphers 'ALL:!SSLv2:!SSLv3'
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256
> ----------------------------8< cut here >8------------------------------
>
> This just controls which ciphers are available, not the protocol
> negotiation, so you still want to use `openssl_options`.


Phil,
Many thanks for the explanation and above link describing the openssl_options option. As it was not available in exim-4.72, the RPM package version which comes with
SLC6 (the system I am using) I built the current version (4.84) from source, which is now installed and working nicely. In case these are useful to anyone else running
SLC6/SL6/Centos6/RHEL6 etc. Here are the RPMs together with their MD5 checksums.


http://www.mklab.rhul.ac.uk/~tom/exim-4.84-1.el6.src.rpm        037c83fdc369c4dd315131d162cbf287
http://www.mklab.rhul.ac.uk/~tom/exim-4.84-1.el6.x86_64.rpm     7170ba90ec3de50ba858546c51caa0fb
http://www.mklab.rhul.ac.uk/~tom/exim-debuginfo-4.84-1.el6.x86_64.rpm   07bc2d3fe3cc915c454938a7b18b231b
http://www.mklab.rhul.ac.uk/~tom/exim-greylist-4.84-1.el6.x86_64.rpm    54c0b7104acce075e343b362fcf11526
http://www.mklab.rhul.ac.uk/~tom/exim-mon-4.84-1.el6.x86_64.rpm 3915965edc801574dd9653e07ff8fafb
http://www.mklab.rhul.ac.uk/~tom/exim-mysql-4.84-1.el6.x86_64.rpm       2d0f45a062eb59e314c4e3d8e636f6b9
http://www.mklab.rhul.ac.uk/~tom/exim-pgsql-4.84-1.el6.x86_64.rpm       eae29b80f81e78ba7416aca8d85a7aba


Cheers
Tom.

-- 
Tom Crane, Dept. Physics, Royal Holloway, University of London, Egham Hill,
Egham, Surrey, TW20 0EX, England. 
Email:  T.Crane@???
Fax:    +44 (0) 1784 472794