[exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list

Pàgina inicial
Delete this message
Reply to this message
Autor: Konstantin Boyandin
Data:  
A: exim-users
Assumpte: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
Hello,

After having scanned 4.90.1 installation with OpenVAS, the below was
reported:

'Weak' cipher suites accepted by this service via the
TLSv1.0/TLSv1.1/TLSv1.2 protocols: TLS_RSA_WITH_SEED_CBC_SHA

Default settings (no explicit "tls_require_ciphers", "openssl_options")
are in use.

Can someone recommend simplest ciphers selection for Exim, to exclude
the mentioned cipher? The settings present on cipherli.st:

tls_require_ciphers = AES128+EECDH:AES128+EDH
openssl_options = +no_sslv2 +no_sslv3

seem kind of too strict, there were reported problems receiving email
after the above were put in effect.

Sincerely,
Konstantin