From: Björn Jacke <bjacke@???>
---
doc/doc-docbook/spec.xfpt | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 69a810c..0bb013a 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16711,8 +16711,7 @@ The &(smtp)& transport has an option of the same name for controlling outgoing
connections. This option is expanded for each connection, so can be varied for
different clients if required. The value of this option must be a list of
permitted cipher suites. The OpenSSL and GnuTLS libraries handle cipher control
-in somewhat different ways. If GnuTLS is being used, the client controls the
-preference order of the available ciphers. Details are given in sections
+in somewhat different ways. Details are given in sections
&<<SECTreqciphssl>>& and &<<SECTreqciphgnu>>&.
@@ -26548,9 +26547,12 @@ on that site can be used to test a given string.
For example:
.code
# Disable older versions of protocols
-tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0
+tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0:%SERVER_PRECEDENCE
.endd
+The SERVER_PRECEDENCE keyword instructs GnuTLS to let the server choose the
+preferred cipher and not honor the order of ciphers that the client sent.
+
Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three
additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and
"&%gnutls_require_protocols%&". &%tls_require_ciphers%& was an Exim list.
@@ -26564,7 +26566,7 @@ used:
# GnuTLS variant
tls_require_ciphers = ${if =={$received_port}{25}\
{NORMAL:%COMPAT}\
- {SECURE128}}
+ {SECURE128}}:%SERVER_PRECEDENCE
.endd
--
2.4.2