On May 19, Jeremy Harris via Exim-users wrote
> On 19/05/2019 18:00, Cyborg via Exim-users wrote:
> > Problem is, that even if tls_1.2 is out since 2008, a communication
> > partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" ,
> > you will accept i
> >
> > It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
> > and reject anything not 1.2 or 1.3.
>
> If you are concerned about TLS versions, the easiest configuration
> is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
> string) or openssl_options (for OpenSSL).
I added +tls_cipher to log_selector which adds an X= entry to the log
file entries for inbound TLS connections. In my case (for a low volume
personal mailserver which I enjoy spending *far* too much time
maintaining) I get this:
# egrep -o 'X=TLS[^ ]+' /var/log/exim4/mainlog | sort | uniq -c | sort -n | tail
82 X=TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128
167 X=TLS1.2:DHE_RSA_AES_256_GCM_SHA384:256
272 X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
289 X=TLS1.2:ECDHE_ECDSA_AES_128_CBC_SHA256:128
296 X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256
466 X=TLS1.2:ECDHE_ECDSA_CHACHA20_POLY1305:256
691 X=TLS1.2:ECDHE_ECDSA_AES_256_GCM_SHA384:256
727 X=TLS1.2:ECDHE_ECDSA_AES_128_GCM_SHA256:128
1053 X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128
15878 X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
Sadly I want to continue to receive some of those TLS1.0 inbound
connections. One of them is from the OWASP CRS mailing list. Of all
people!
HTH
Richard
--
junix.systems/privacy
