On 12/28/2013 12:51 PM, Viktor Dukhovni wrote:
Does this modify the ciphers used for all connections, or just for the
server in question?
All connections.
Any suggestions for what ciphers to put in the list besides RC4-MD5?
If you read my previous responses on this thread, you'll notice I
recommended:
aRSA+AES128+kEECDH:aRSA+AES128+kEDH:aRSA+AES128+kRSA:RC4-SHA:@STRENGTH
as a compact OpenSSL cipherlist that inter-operates with Exchange
and yet yields AES with forward-secrecy whenever possible. If you're
not authenticating the SMTP server (almost nobody is), you can allow
both anonymous and ECDSA ciphers without bloating the list too much:
aNULL:-aNULL:AES128+kEECDH:AES128+kEDH:AES128+kRSA:RC4-SHA
this prefers aNULL, since you don't check the certs anyway.
Good point, thanks for these suggestions. I will try both and see how
it goes.
--
Bob Wooldridge
Blog: http://kc0dxf.net/blog