Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher lis…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: mje, exim-users
Nouveaux-sujets: [exim] DANE / TLS ciphersuite improvements
Sujet: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote:
> $smtp_found_dane or something? Note that DANE support is Experimental
> and feedback and requests are a good thing (patches even better!).


Uh ... DANE graduated from Experimental, I forgot. Sorry.

Am tentatively thinking that since so many other TLS-related Transport
options are ignored under DANE, and we don't require complicated
expansion rules, the cleanest and easiest would be to have a new option,
`dane_require_tls_ciphers`; if unset, `tls_require_ciphers` would be
used as the default, but if set and _IF_ DANE is in play, then this
cipherlist would be used instead.

I'll code up a strawman for consideration.

-Phil