Re: [exim] SSL forcing

Top Page
This message is part of the following thread:
M--\the complete thread tree sorted by date
M-\MAndrew C Aitchison at <-
M\MMViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] SSL forcing
On 19/05/2019 18:00, Cyborg via Exim-users wrote:
> Problem is, that even if tls_1.2 is out since 2008, a communication
> partner may use SSLv3 or TLS 1.0/1.1 and  using just "encrypted = *" ,
> you will accept i
>
> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
> and reject anything not 1.2 or 1.3.

If you are concerned about TLS versions, the easiest configuration
is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
string) or openssl_options (for OpenSSL).

--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] SSL forcingRe: [exim] SSL forcing->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)