Re: [exim] Define preferred encryption algorithms

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Jeremy Harris
日付:  
To: exim-users
題目: Re: [exim] Define preferred encryption algorithms
On 10/10/2019 15:30, jmedard--- via Exim-users wrote:
> On Exim the order of the encryption string, present in "tls_require_ciphers"
> does not matter, the order is not used.
>
>
>
> I think this requires the switch to "Server preference", via the
> openssl_options: "+cipher_server_preference", but it is not enough for the
> server to define a recommended encryption algorithm.
>
>
>
> How is it possible to define a cipher algorithm preference, please?


Since you mention openssl_options I'm assuming you are using an Exim
built for use with OpenSSL. Please doublecheck this, as it affects
the answer.

We are limited by what the library provides.

The openssl_options are fed to the SSL_CTX_set_options() interface
(via some fairly-obvious processing). The tls_require_ciphers is
fed to SSL_CTX_set_cipher_list().


http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphssl

talks about order of the list of ciphers, which to me implies that
the library uses that order as a preference.
--
Cheers,
Jeremy