Hi! I'm trying to configure exim to not accept SSLv3 protocol connections.
With exim, there's only tls_require_ciphers which does not allow to disable SSLv3 in a similar fashion. Well, it *does* allow '!SSLv3', but then TLSv1 fails as well. This can be tested using cnark: http://blog.techstacks.com/cryptonark.html http://www.techstacks.com/files/cnark-v0.5.6.tar.gz and calling the cnark script: cnark -h my-test-host -p 465 --insecure Case 1, disable SSLv3: tls_require_ciphers = HIGH:!SSLv2:!SSLv3:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK cnark gives: [...] Testing SSLv3 Ciphers... Testing TLSv1 Ciphers... Testing TLSv1.2 Ciphers... [...] Case 2, disable only SSLv2: tls_require_ciphers = HIGH:!SSLv2:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK cnark gives: [...] Testing SSLv3 Ciphers... DHE-RSA-AES256-SHA -- 256 bits, High Encryption, Forward Secrecy AES256-SHA -- 256 bits, High Encryption DHE-RSA-AES128-SHA -- 128 bits, High Encryption, Forward Secrecy AES128-SHA -- 128 bits, High Encryption Testing TLSv1 Ciphers... DHE-RSA-AES256-SHA -- 256 bits, High Encryption, Forward Secrecy AES256-SHA -- 256 bits, High Encryption DHE-RSA-AES128-SHA -- 128 bits, High Encryption, Forward Secrecy AES128-SHA -- 128 bits, High Encryption Testing TLSv1.2 Ciphers... [...] With dovecot, besides ssl_cipher_list there's a ssl_protocols field, as described in: http://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls -handshaking-failed-no-shared-cipher So setting 'ssl_protocols = !SSlv2 !SSLv3' allows to disable SSLv3. This is implemented in dovecot-2.2.15 in dovecot-2.2.15/src/lib-ssl-iostream/iostream-openssl-common.c with a function openssl_get_protocol_options and maybe exim needs something similar ? -- [email protected] +49 171 3101372 6 years to go ! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
