Tried ** Exim didn't accept +no_tlsv1_1 : error openssl_options parse
error: +no_sslv3 +no_tlsv1 +no_tlsv1_1
** Changed to openssl_options = +no_sslv3 +no_tlsv1 tried with and without
tls_require_ciphers still getting error below.
Got error (SSL_accept): error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol
On Thu, Jul 30, 2015 at 9:18 AM, Viktor Dukhovni <exim-users@???>
wrote:
> On Thu, Jul 30, 2015 at 12:55:37PM +0000, Viktor Dukhovni wrote:
>
> > This is unwise, the majority of the ciphers used in TLS 1.2 are
> > carried over from SSL 3.0, so you SHOULD NOT disable SSLv3 ciphers,
> > rather just disabling the protocols suffices. And your cipherlist
> > is unwise. For decent security and maximum interoperability try:
> >
> > HIGH:MEDIUM:@STRENGTH
> :+RC4:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC5
> >
>
> Forgot one thing. Postfix automatically excludes aNULL (aka ADH)
> ciphers when peer authentication is required, but Exim probably
> uses the same cipherlist throughout. So you may want to also
> disable aNULL (or ADH if you like that name better) as your post
> indicated.
>
> If possible, I would leave aNULL enabled on the receiving side
> (SMTP server), if the client is not checking your certificate
> (willing do without) sending the certificate and doing signing
> operations is mostly wasted effort. Whether you need to disable
> aNULL on the sending side (SMTP client) is your call. If as with
> most SMTP servers you don't enforce authentication for any peers,
> soliciting certificates is of marginal value.
>
> Some folks say that not signalling that you're not intending to
> authenticate the server makes it easier for an active man-in-the-middle
> attacker to select connections where the attacks won't be detected.
> I don't think this makes much of a difference.
>
> If you want MiTM protection, recent Exim versions support DANE
> (still experimental?). While deployment is still very thin, it is
> growing. If you decide to sign your DNS zones and publish TLSA
> records, PLEASE PLEASE don't forget to update the TLSA records
> before deploying new keys/certificates in the future.
>
> https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-8.1
> https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-8.4
> https://dane.sys4.de/common_mistakes#3
> https://dane.sys4.de/common_mistakes
>
> --
> Viktor.
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
