Re: [exim] Next Exim: TLS: changed smarthost example config

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] Next Exim: TLS: changed smarthost example config


> On Apr 20, 2018, at 8:17 PM, Phil Pennock via Exim-users <exim-users@???> wrote:
>
> .ifdef _HAVE_OPENSSL
> tls_require_ciphers = HIGH:@STRENGTH
> .endif


I'd make that:

    HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd


Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.
The HIGH ciphers are only HIGH by virtue of symmetric cipher strength,
but in fact include anon-DH ciphers with strong bulk crypto, which given
the desired to authenticate the peer should not be included.

This also disables DSA which nobody uses and fixed DH/ECDH ciphers which
are not and should not be used. With OpenSSL 1.0.2 this brings the cipher
count down from 82 to 52.

-- 
    Viktor.