Re: [exim] Available ciphers with stock Debian (gnutls) exim

Top Page
Delete this message
Reply to this message
Author: Russell King
Date:  
To: exim-users
Subject: Re: [exim] Available ciphers with stock Debian (gnutls) exim
On Sat, Jul 13, 2019 at 01:52:50PM +0100, Russell King via Exim-users wrote:
> On Sat, Jul 13, 2019 at 01:32:34PM +0100, Russell King via Exim-users wrote:
> > Maybe it's something to do with the certs/key?
>
> ... and it was - the wrong usage on the cert. Now fixed.


Maybe someone can provide some hints what Key Usage should be set for
an exim server certificate. According to Red Hat's website:

https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Standard_X.509_v3_Certificate_Extensions.html

leads me to think that only keyEncipherment and keyAgreement need be
set - this is what I had originally, and gnutls refused to offer any
EC ciphers.

Adding digitalSignature and nonRepudiation to the cert seems to have
allowed gnutls to enable EC ciphers, but I don't understand why based
on the description above.

Can someone say definitively what key usages should be set and which
should not be set for an exim server and explain why for each?

Thanks.

--
Russell King