> > On 2014-10-16 at 17:49 +0100, [email protected] wrote: > > I have been going round and round in circles trying to do this :-{. I > > have tried lots of different incantations using tls_require_ciphers but > > without success. > > My exim which came ready built in an RPM is linked with OpenSSL rather than > > GnuTLS. I am using 'nmap --script ssl-enum-ciphers -p 465' to see what > > ciphers are offered. > > The instructions are in: > > https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html > > Note: you are using OpenSSL, so the `openssl_options` Exim option is the > one which you need to set. OpenSSL does not permit using a cipherspec > to tune broader options. The `tls_require_ciphers` option can only take > the values described in `man ciphers`. > > > I am at a loss to know why 'tls_require_ciphers = All:!SSLv2:!SSLv3' does > > not do what I want. It just results in no ciphers being offered. > > Because it's `ALL` not `All`; whatever value you pass here, is expanded > in the same way as the `openssl ciphers` command; thus: > > ----------------------------8< cut here >8------------------------------ > % openssl ciphers 'All:!SSLv2:!SSLv3' > Error in cipher list > 34381432488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher > match:ssl_lib.c:1314: > > % openssl ciphers 'ALL:!SSLv2:!SSLv3' > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 > ----------------------------8< cut here >8------------------------------ > > This just controls which ciphers are available, not the protocol > negotiation, so you still want to use `openssl_options`.
Phil, Many thanks for the explanation and above link describing the openssl_options option. As it was not available in exim-4.72, the RPM package version which comes with SLC6 (the system I am using) I built the current version (4.84) from source, which is now installed and working nicely. In case these are useful to anyone else running SLC6/SL6/Centos6/RHEL6 etc. Here are the RPMs together with their MD5 checksums. http://www.mklab.rhul.ac.uk/~tom/exim-4.84-1.el6.src.rpm 037c83fdc369c4dd315131d162cbf287 http://www.mklab.rhul.ac.uk/~tom/exim-4.84-1.el6.x86_64.rpm 7170ba90ec3de50ba858546c51caa0fb http://www.mklab.rhul.ac.uk/~tom/exim-debuginfo-4.84-1.el6.x86_64.rpm 07bc2d3fe3cc915c454938a7b18b231b http://www.mklab.rhul.ac.uk/~tom/exim-greylist-4.84-1.el6.x86_64.rpm 54c0b7104acce075e343b362fcf11526 http://www.mklab.rhul.ac.uk/~tom/exim-mon-4.84-1.el6.x86_64.rpm 3915965edc801574dd9653e07ff8fafb http://www.mklab.rhul.ac.uk/~tom/exim-mysql-4.84-1.el6.x86_64.rpm 2d0f45a062eb59e314c4e3d8e636f6b9 http://www.mklab.rhul.ac.uk/~tom/exim-pgsql-4.84-1.el6.x86_64.rpm eae29b80f81e78ba7416aca8d85a7aba Cheers Tom. -- Tom Crane, Dept. Physics, Royal Holloway, University of London, Egham Hill, Egham, Surrey, TW20 0EX, England. Email: [email protected] Fax: +44 (0) 1784 472794 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
