著者: Phil Pennock 日付: To: Arkadiusz Miśkiewicz CC: exim-users 題目: Re: [exim] safe handling of $tls_sni
On 2016-10-18 at 08:28 +0200, Arkadiusz Miśkiewicz wrote: > On Monday 17 of October 2016, Phil Pennock wrote:
> > Or base64-encode it.
>
> "/" is part of base64 alphabet, so would have to replace that with other
> character, too.
You're quite right. I was thinking of the `base64url` encoding from
RFC4648; it's used so often that I forgot.
Hrm, perhaps Exim should support that too.
> I wonder how big performance impact will be there on each connection when
> using sha1. sha will be calculated even twice for single connection.
Your mail was delivered from the exim.org mail-handling host to my
mail-handling host using `TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256`.
Gmail's mail-servers record that when you uploaded it to them, your
system negotiated `version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256
bits=128/128`.
SHA1 is faster than the SHA2 family of hashes; if you're calculating
SHA2 hashes twice (for HMAC) for every block received over TLS, doing
SHA1 twice at the start should not be a concern.