[exim-dev] [Bug 2872] Unable to select ONLY TLSv1.3 CHACHA2…

Etusivu
Poista viesti
Vastaa
Lähettäjä: admin
Päiväys:  
Vastaanottaja: exim-dev
Vanhat otsikot: [exim-dev] [Bug 2872] New: Unable to select ONLY TLSv1.3 CHACHA20-POLY1305 cipher
Aihe: [exim-dev] [Bug 2872] Unable to select ONLY TLSv1.3 CHACHA20-POLY1305 cipher
https://bugs.exim.org/show_bug.cgi?id=2872

help@??? changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |help@???


--- Comment #3 from help@??? ---
Although I agree this is not a bug but a wishlist item, I also want to join
this request. For me, it is the fact that I only want to enable 256bit
encryption throughout my server - which with exim and TLSv1.3 enabled - I am
currently unable to do so. Considering that TLSv1.3 is the future and here to
stay (and a developer would consider an implementation) I kindly suggest the
double settings route (like OpenSSL itself and every other major daemon by now)
in form of cipher list and suites:



dovecot example:



ssl = yes
ssl_cert = </srv/tls/full_chain
ssl_key = </srv/tls/private_key
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl_curve_list = secp384r1



lighttpd example:



$SERVER["socket"] == ":443" {

    ssl.engine = "enable"
    ssl.pemfile = "/srv/tls/full_chain"
    ssl.privkey = "/srv/tls/private_key"


    ssl.openssl.ssl-conf-cmd = (


        "CipherString" =>
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305",
        "Ciphersuites" =>
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
        "Curves" => "secp384r1"


    )


}



exim currently:

tls_on_connect_ports = 465
tls_certificate = /srv/tls/full_chain
tls_privatekey = /srv/tls/private_key
tls_require_ciphers =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
tls_eccurve = secp384r1



Possible exim implementation suggestion:

+tls_require_suites = ...

and

+dane_require_tls_suites = ...



Sadly I do not speak C, else I would gladly contribute. So all I am left with,
is hoping that a developer might consider it. Thanks very much.

--
You are receiving this mail because:
You are on the CC list for the bug.