On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote:
> I'd make that:
>
> HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd
>
> Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.
No matter what we tell people and how much we push towards 1.0.2 as a
minimum, I am confident that as long as someone can cobble together a
way to keep running with OpenSSL 0.9.8 then _someone_ will do so.
Thus @STRENGTH stays. I believe that !aNULL is covered by requiring
verification, but sure good to disable here. The others: it's more
complex knowledge of what should be put where end administrators touch
things than I'm entirely comfortable with.
So your string is "better" but I don't want to be putting that level of
intimidating TLS configuration into our starting configuration file.
Thus "HIGH:!aNULL:@STRENGTH" and _if_ I find time to work on the
suggested OpenSSL integration revamp, then something which disables
older versions of TLS, as for GnuTLS.
-Phil
