On Thu, Jul 30, 2015 at 09:32:15AM -0400, 3YSTech Services wrote:
> Tried ** Exim didn't accept +no_tlsv1_1 : error openssl_options parse
> error: +no_sslv3 +no_tlsv1 +no_tlsv1_1
That suggests that Exim was compiled against OpenSSL 0.9.8 which
only has TLS 1.0.
> ** Changed to openssl_options = +no_sslv3 +no_tlsv1 tried with and without
> tls_require_ciphers still getting error below.
Don't do that. Low-level security security settings are not
something one should arrive at by trial and error. The defaults
are usually much safer than anything you'll arrive at by experiment.
You almost certainly don't need to disable TLSv1. It is quite
sufficiently strong for opportunistic TLS. No need to be fashionable.
Attempts to maximize security often backfire and reduce security.
For opportunistic TLS, raising the security bar, results in fewer
peers being able to encrypt and more peers sending in the clear.
https://tools.ietf.org/html/rfc7435
--
Viktor.
