Re: [exim] Force TLSv1.2 on EXIM server (4.80.1)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] Force TLSv1.2 on EXIM server (4.80.1)
On Sat, Aug 01, 2015 at 11:05:49AM +0900, Randy Bush wrote:

> # uname -a
> Linux ran.psg.com 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:22:15 UTC 2015 i686 athlon i686 GNU/Linux
>
> fully updated, but which seems to have an old exim
>
> # exim --version
> Exim version 4.82 #3 built 25-Feb-2014 16:38:04
>
> >     HIGH:MEDIUM:@STRENGTH:+RC4:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC5

>
> #openssl_options = +no_sslv2 +no_sslv3    # seems to use gnutls
> tls_require_ciphers = HIGH:MEDIUM:@STRENGTH:+RC4:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC5                                                        

Sorry, I am not familiar with GnuTLS enough to give hands-on advice.
The idea is to disable:

    * MD5 ciphers
    * SRP and PSK ciphers
    * DSS aka DSA certificates
    * Fixed DH and Fixed ECDH key agreement
    * SEED, IDEA, RC2 and RC5 crypto.
    * Single-DES and EXPORT ciphers (likely off in GnuTLS by default)
    * anon_DH and anon_ECDH ciphers if you need server certs for authentication.


How this is done with GnuTLS you'll have to ask someone more familar
with that software.

-- 
    Viktor.