On Tue, 1 Oct 2013, Todd Lyons wrote:
On Tue, Oct 1, 2013 at 12:38 AM, Dr Andrew C Aitchison
<[email protected]> wrote:
I for one *do* set tls_require_ciphers (though I currently use OpenSSL
not GnuTLS) - I dropped RC4 a couple of weeks ago after using
it for a couple of months to protect against the BEAST.
I can see protecting against BEAST on the web where a session cookie
is passed on every transaction. What utility does protecting against
BEAST provide in an SMTP or SMTP Auth session? Help me think out of
the box because I'm not seeing the usefulness.
At the time I couldn't get enough information to be sure that the
BEAST didn't apply to SMTP, so added RC4 ciphers to protect against it.
Now that nessus and ssl-labs think RC4 is a bigger problem
I'm prepared to trust that the BEAST isn't an issue with SMTP.
My starting point is that http ssl/tls vunerabilities should be
defended against in smtp/imap/ssh unless I can convince myself that
the vunerability doesn't apply.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
[email protected] http://www.dpmms.cam.ac.uk/~werdna
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
