------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674 --- Comment #11 from Martin Kaiser <[EMAIL PROTECTED]> 2008-08-14 21:02:12 --- (In reply to comment #9) Hi Phil, nice to see that there's been some activity about this bug lately ;-) > Created an attachment (id=261) --> (http://bugs.exim.org/attachment.cgi?id=261) [details] > New global option, openssl_load_all > > I think this is a reasonable compromise and sensible way forward for now, > without undermining the whole point of the exercise. > > A new option, available when SUPPORT_TLS defined, "openssl_load_all". It's a > boolean, default false. It is a fatal error to set this true without also > defining "tls_require_ciphers". > > The theory being that anyone who knows to load all algorithms knows enough to > make their own educated decision about a cipher policy but that loading all > algorithms has the risk of adding new dangerous ciphers that should not be > present and would be a security step backwards. This avoids Exim needing to > push a cipher which can become stale and puts Exim only in the position of > having some mild protection against accidental shooting of self in foot. > > I was able to use Martin's sha256 stuff successfully with this patch. > no doubt that this is going to do the trick. However, I think this is quite complicated for an admin. Thinking about the issue again, my preferred solution would be to just add SHA256 by a call to EVP_AddDigest(). This way, we're not accidentially enabling weak ciphers and there's no additional complexity for the exim administrator. I would assume that X.509 certificates with sha256-based signature (or more exactly pkcs1 1.5 signature using sha256) will become more and more common. Best regards, Martin -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
