Phil, Thanks for your response.
I'm just running a PCI penetration test now which will let me know if it's worked. I'll post back when I know the results. Weirdly though, my example appeared to work yesterday.. and I printed off a report showing no errors - yet today when I've come to view the same report - the error is back in it. Nice :) On Tue, 27 Nov 2007 15:57:02 -0800, Phil Pennock <[EMAIL PROTECTED]> wrote: > On 2007-11-26 at 15:27 +0000, andylockran wrote: >> I'm setting up a cluster of servers for the PCI DSS and I've only got > one vulnerability left - which is that SSL/TLS supports weak authentication > in exim. (I managed to set SSLv2 to disabled on exim with the following > line:) >> >> tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES >> >> Unfortunately, this does not set the authentication method to only > suport HIGH Levels of encryption (128bit or above). >> >> I can't find any information about where this should be set.. and i know > this line works as it manages to disable SSLv2. I've checked section 38 of > the manual (and 38.4 specifically as I'm using openssl). >> >> One of the solutions may be to specify the particular encryption methods > on this line - but does anyone know a way of implementing the > HIGH:MEDIUM:LOW setting in a similar way to the following (from proftpd). >> >> TLSCipherSuite HIGH:MEDIUM:!ADH:!SSLv2 > > It's left-to-right, IIRC, and so adding SSLv3 later overrode the > !MEDIUM. > > I use (but I'm not a cryptographer): > tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!NULL:!DES:@STRENGTH > > Turn them all on, disable LOW, the EXPORT restricted ones, Anonymous DH, > the NULL, the plain DES and then sort the remainer in strength order, so > that the strongest one is preferred. > > Provided that your OS installs the OpenSSL man-pages, ciphers(1) should > list the options available. Otherwise the current doc (as opposed to > docs for your installed version) is at: > http://www.openssl.org/docs/apps/ciphers.html > > Oh, cool, NULL is not included in ALL so my !NULL is sheer paranoia. > I'll leave it there. :^) > > -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
