Re: [exim] Define preferred encryption algorithms

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] Define preferred encryption algorithms
On 10/10/2019 15:30, jmedard--- via Exim-users wrote:
> On Exim the order of the encryption string, present in "tls_require_ciphers"
> does not matter, the order is not used.
>
>
>
> I think this requires the switch to "Server preference", via the
> openssl_options: "+cipher_server_preference", but it is not enough for the
> server to define a recommended encryption algorithm.
>
>
>
> How is it possible to define a cipher algorithm preference, please?


Since you mention openssl_options I'm assuming you are using an Exim
built for use with OpenSSL. Please doublecheck this, as it affects
the answer.

We are limited by what the library provides.

The openssl_options are fed to the SSL_CTX_set_options() interface
(via some fairly-obvious processing). The tls_require_ciphers is
fed to SSL_CTX_set_cipher_list().


http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphssl

talks about order of the list of ciphers, which to me implies that
the library uses that order as a preference.
--
Cheers,
Jeremy