Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher lis…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: mje
CC: exim-users
Subject: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
On 2018-03-28 at 11:43 +0200, Mark Elkins via Exim-users wrote:
> Begs the question, do DANE enabled machine therefore perhaps require a
> stronger encryption - as their owners should know what they are doing?
>
> I've no idea if its possible to allow weaker encryption for
> opportunistic connections
> but enforce stronger encryption types on DANE compliant connections?


At present, it would require a bit of fiddling and logs-processing.

We have `$tls_out_dane` but the value is determined far too late to be
usable for setting `tls_require_ciphers` on the Transport.

We'd probably want some other variable, set as soon as we have DNS
signalling that DANE should be used, which can be referenced.
$smtp_found_dane or something? Note that DANE support is Experimental
and feedback and requests are a good thing (patches even better!).

If not willing to edit Exim's source, then at present I'd just make sure
that `log_selector` includes `+tls_certificate_verified` and look for
`CV=dane` in the logs. A logs processor could identify all domains
where that's seen, and things verified, and then update a DB of "domains
we should use better crypto for". It's hacky, but then it would be the
beginning of a lightweight reputation tracking system for outbound
connections.

-Phil