Re: [exim] Problem disabling SSLv3 ciphers on Exim 4.72 to deal with Poodle vunerability (CVE-2014-3566)

Mon, 20 Oct 2014 12:37:04 -0700 

On 2014-10-16 at 17:49 +0100, [email protected] wrote:
>       I have been going round and round in circles trying to do this :-{. I 
> have tried lots of different incantations using tls_require_ciphers but 
> without success.  
> My exim which came ready built in an RPM is linked with OpenSSL rather than 
> GnuTLS. I am using 'nmap --script ssl-enum-ciphers -p 465' to see what 
> ciphers are offered.

The instructions are in:

  https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

Note: you are using OpenSSL, so the `openssl_options` Exim option is the
one which you need to set.  OpenSSL does not permit using a cipherspec
to tune broader options.  The `tls_require_ciphers` option can only take
the values described in `man ciphers`.

> I am at a loss to know why 'tls_require_ciphers = All:!SSLv2:!SSLv3' does not 
> do what I want.  It just results in no ciphers being offered.

Because it's `ALL` not `All`; whatever value you pass here, is expanded
in the same way as the `openssl ciphers` command; thus:

----------------------------8< cut here >8------------------------------
% openssl ciphers 'All:!SSLv2:!SSLv3'
Error in cipher list
34381432488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl_lib.c:1314:

% openssl ciphers 'ALL:!SSLv2:!SSLv3'
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256
----------------------------8< cut here >8------------------------------

This just controls which ciphers are available, not the protocol
negotiation, so you still want to use `openssl_options`.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to