Autor: Konstantin Boyandin
Data:
A: exim-users
Assumpte: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
Hello,
After having scanned 4.90.1 installation with OpenVAS, the below was
reported:
'Weak' cipher suites accepted by this service via the
TLSv1.0/TLSv1.1/TLSv1.2 protocols: TLS_RSA_WITH_SEED_CBC_SHA
Default settings (no explicit "tls_require_ciphers", "openssl_options")
are in use.
Can someone recommend simplest ciphers selection for Exim, to exclude
the mentioned cipher? The settings present on cipherli.st:
tls_require_ciphers = AES128+EECDH:AES128+EDH
openssl_options = +no_sslv2 +no_sslv3
seem kind of too strict, there were reported problems receiving email
after the above were put in effect.
Sincerely,
Konstantin