On Sat, Aug 01, 2015 at 11:05:49AM +0900, Randy Bush wrote:
> # uname -a
> Linux ran.psg.com 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:22:15 UTC 2015 i686 athlon i686 GNU/Linux
>
> fully updated, but which seems to have an old exim
>
> # exim --version
> Exim version 4.82 #3 built 25-Feb-2014 16:38:04
>
> > HIGH:MEDIUM:@STRENGTH:+RC4:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC5
>
> #openssl_options = +no_sslv2 +no_sslv3 # seems to use gnutls
> tls_require_ciphers = HIGH:MEDIUM:@STRENGTH:+RC4:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC5
Sorry, I am not familiar with GnuTLS enough to give hands-on advice.
The idea is to disable:
* MD5 ciphers
* SRP and PSK ciphers
* DSS aka DSA certificates
* Fixed DH and Fixed ECDH key agreement
* SEED, IDEA, RC2 and RC5 crypto.
* Single-DES and EXPORT ciphers (likely off in GnuTLS by default)
* anon_DH and anon_ECDH ciphers if you need server certs for authentication.
How this is done with GnuTLS you'll have to ask someone more familar
with that software.
--
Viktor.
