Anders writes:
Since RC4/ARCFOUR has been in the news as "breakable" I was wondering if it is possible to have courier prioritize AES in favour of RCA if supported?For example, gmail uses RC4 by default, but does support AES: # openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp Protocol : TLSv1.2 Cipher : ECDHE-RSA-RC4-SHA # openssl s_client -cipher AES128-SHA -connect gmail-smtp-in.l.google.com:25 -starttls smtp Protocol : TLSv1.2 Cipher : AES128-SHA I have tried to set TLS_PRIORITY="AES256-SHA256:NORMAL:-CTYPE-OPENPGP" or TLS_PRIORITY="AES-256-CBC:NORMAL:-CTYPE-OPENPGP" or to both esmtpd and esmtpd-msa but then I cannot connect at all (using openssl to my courier server). If I leave default "NORMAL:-CTYPE-OPENPGP" it works: # openssl s_client -connect localhost:587 -starttls smtp Protocol : TLSv1.2 Cipher : AES256-SHA256 So, what I am trying to achieve is to prioritize some ciphers before others, even for normal smtp courier->other host (like gmail). How should I use the TLS_PRIORITY setting properly do this? I have tried to use ciphers and ciphersuites from "gnutls-cli -l". Courier is compiled with with gnutls
For gnutls, its cipher priority configuration is documented in its man pages: http://manpages.courier-mta.org/htmlman3/gnutls_priority_init.3.html If you want to exclude RC4, try NORMAL:-CTYPE-OPENPGP:-RC4
pgpnHH1eW6lrn.pgp
Description: PGP signature
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
