Re: [exim] Define preferred encryption algorithms

Page principale
Supprimer ce message
Répondre à ce message
Auteur: jmedard
Date:  
À: exim-users
Sujet: Re: [exim] Define preferred encryption algorithms
Hello,
Thank you for your answer.
Yes, I am talking about EXIM with the use of OpenSSL.
I understand that EXIM is limited to the specifications of the OpenSSL
library.
Regards
JME

-----Message d'origine-----
De : Exim-users <exim-users-bounces+jmedard=amv-sa.fr@???> De la part
de Jeremy Harris via Exim-users
Envoyé : vendredi 11 octobre 2019 11:55
À : exim-users@???
Objet : Re: [exim] Define preferred encryption algorithms

On 10/10/2019 15:30, jmedard--- via Exim-users wrote:
> On Exim the order of the encryption string, present in

"tls_require_ciphers"
> does not matter, the order is not used.
>
>
>
> I think this requires the switch to "Server preference", via the
> openssl_options: "+cipher_server_preference", but it is not enough for
> the server to define a recommended encryption algorithm.
>
>
>
> How is it possible to define a cipher algorithm preference, please?


Since you mention openssl_options I'm assuming you are using an Exim built
for use with OpenSSL. Please doublecheck this, as it affects the answer.

We are limited by what the library provides.

The openssl_options are fed to the SSL_CTX_set_options() interface (via some
fairly-obvious processing). The tls_require_ciphers is fed to
SSL_CTX_set_cipher_list().


http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_conne
ctions_using_tlsssl.html#SECTreqciphssl

talks about order of the list of ciphers, which to me implies that the
library uses that order as a preference.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/