Hi Anders, El 2013-09-11 08:05:30, Anders escribió: > Although this doesn't fail, it still doesn't change the RC4-SHA that > Courier/ESMTPD uses against Gmail. Look at the following email header: > > Received: from mail.tnonline.net > by mx.google.com with ESMTPS id > pw1si236926lbb.136.1969.12.31.16.00.00 > (version=TLSv1.2 cipher=RC4-SHA bits=128/128); > > Granted, TLSv1.2 is supposed to be safe against the published attacks, > so it might be OK anyway.... Still would be nice to know why > Courier/GnuTLS doesn't choose highest supported cipher?
TLS works in a way that one side suggests ciphers in order of preference. The other side than compares this list to the ciphers it supports itself and selects one. Normally its the client (connecting side) that suggests, and the server (connected side) that selects. As the server selects the cipher, it may honor the precedence proposed by the client, but it may also decide to follow its own policy. (GnuTLS has for this the keyword „%SERVER_PRECEDENCE“ which can also be added to the cipher list.) If Google has a policy of prefering RC4 in any case when the client supports this algorithm, you cannot force them to not select this algorithm other than completely removing it from your list. (The reason why they might push usage of RC4 is an attack against SSL/TLS called „BEAST“. Using RC4 is the algorithm supported by TLS 1.0, that is able to resist this attack on all SSL/TLS implementations.) Regards, Matthias -- Matthias Wimmer Contact details: http://matthias.wimmer.tel/
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
