Re: [exim] Next Exim: TLS: changed smarthost example config

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Viktor Dukhovni via Exim-users
CC: Viktor Dukhovni
Subject: Re: [exim] Next Exim: TLS: changed smarthost example config
On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote:
> I'd make that:
>
>     HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd

>
> Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.


No matter what we tell people and how much we push towards 1.0.2 as a
minimum, I am confident that as long as someone can cobble together a
way to keep running with OpenSSL 0.9.8 then _someone_ will do so.

Thus @STRENGTH stays. I believe that !aNULL is covered by requiring
verification, but sure good to disable here. The others: it's more
complex knowledge of what should be put where end administrators touch
things than I'm entirely comfortable with.

So your string is "better" but I don't want to be putting that level of
intimidating TLS configuration into our starting configuration file.

Thus "HIGH:!aNULL:@STRENGTH" and _if_ I find time to work on the
suggested OpenSSL integration revamp, then something which disables
older versions of TLS, as for GnuTLS.

-Phil