On 10/10/2019 15:30, jmedard--- via Exim-users wrote:
> On Exim the order of the encryption string, present in "tls_require_ciphers"
> does not matter, the order is not used.
>
>
>
> I think this requires the switch to "Server preference", via the
> openssl_options: "+cipher_server_preference", but it is not enough for the
> server to define a recommended encryption algorithm.
>
>
>
> How is it possible to define a cipher algorithm preference, please?
Since you mention openssl_options I'm assuming you are using an Exim
built for use with OpenSSL. Please doublecheck this, as it affects
the answer.
We are limited by what the library provides.
The openssl_options are fed to the SSL_CTX_set_options() interface
(via some fairly-obvious processing). The tls_require_ciphers is
fed to SSL_CTX_set_cipher_list().
http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphssl
talks about order of the list of ciphers, which to me implies that
the library uses that order as a preference.
--
Cheers,
Jeremy