Hi,
For example, I want to exclude wholly RC4 cipher suits for TLS 1.2/1.1
and leave them only for =TLS 1.0 The reason is the same BEAST.
But if we have only one string with cipher suits we can't do this
because we need RC4 for TLS 1.0 and lower.
---
Regards.
Viktor Dukhovni wrote:
With SMTP, PKIX certificate verification is pointless without explicit
per-destination configuration:
http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
This is why I am working to implement and standardize SMTP with DANE TLS.
On Sat, Dec 28, 2013 at 05:56:41PM +0100, Michael Str?der wrote:
http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
This is why I am working to implement and standardize SMTP with DANE TLS.
DANE itself does not help. It just shifts the trust anchor
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote:
There's your problem! This server (likely Exchange 2003) has a broken
implementation of 3DES CBC padding (search Postfix users archives for
my posts on the subject), and your cipher list is either long enough
to cause it to not see RC4-SHA and
|SMTP TLS, but I am not obligated to provide a comprehensive
|justification in response to every trollish one liner, the above
Luckily there is the UDPish EDNS0 extension from RFC 2671 as in
The default is 1280 (RFC 2671, 4.5.1.).
The minimum is 1024 (RFC 3226, 3.; note: not 1220!).
The
On Sat, Dec 28, 2013 at 12:23:21PM -0600, Bobber wrote:
Thanks very much for your help Viktor. I was able to specify the
RC4-MD5 cipher and it works.
I am using Qmail with the John Simpson patch set by the way. There
is a control file (tlsclientcipher) which John had not documented
but
On 12/28/2013 12:51 PM, Viktor Dukhovni wrote:
Does this modify the ciphers used for all connections, or just for the
server in question?
All connections.
Any suggestions for what ciphers to put in the list besides RC4-MD5?
If you read my previous responses on this thread, you'll notice I
On Sat, Dec 28, 2013 at 12:58:58PM -0600, Bobber wrote:
Does this modify the ciphers used for all connections, or just for
the server in question?
All connections.
In that case I would go for the second cipherlist, though still
compact, it is a superset of the first and will interoperate
