Re: [exim] Best way tls_certificate select

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Best way tls_certificate select


> On Jan 21, 2018, at 5:39 AM, Sławomir Dworaczek <slawek@???> wrote:
>
> tls_require_ciphers invalid: gnutls_priority_init(ALL:!ADH:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv3) failed at offset 0, "ALL:!ADH.." failed: The request is invalid.


You're trying to use an OpenSSL cipher string as a GnuTLS priority string.
GnuTLS does not support OpenSSL syntax.

It is also odd that you'd like to prefer RC4+RSA over all other
ciphers. Also, with OpenSSL, "!SSLv3" does not mean what you
think it means. Instead of disabling the SSLv3 protocol this
disables the ciphers defined with SSLv3 which are also some
of the more common ciphers used with TLS 1.0, TLS 1.1 and TLS 1.2.

Indeed all "RC4+RSA" ciphers are SSLv3 ciphers, so you're actually
putting those first only to finally exclude them.

It is best to not cargo-cult cipher strings you do not understand.
I hope that Exim has sensible defaults for the TLS protocol and
cipher preferences, or documents a few sensible choices. Stick
to those, and try to avoid recommendations from other sources.
Much of the TLS cipher configuration advice you'll find online is
misguided.

-- 
    Viktor.