On 03/15/2015 02:25 PM, Marco Gaiarin wrote: > Mandi! Jan Ingvoldstad > In chel di` si favelave... > >> I won't directly answer the question, but I would advise you to consider >> the consequences of enabling TLS compression. > > Ok, but supposing i want to give it a try for testing purpose, it suffices > to do something like: > > tls_require_ciphers = NORMAL:COMP-ALL:!VERS-SSL3.0 > > right? Or it is too strict to 'require' compression? > > Thanks.
The issue with requiring compression is that other MTAs could be configured to disallow it due to the security issues (which is the general recommendation at least for web servers), in which case the MTA transfer over TLS will likely fail and fall back to using an unencrypted transfer. And where it does work, I think there's a fair chance that compression lowers the security of the TLS session. https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks It's also notable that compression has been removed in the TLS 1.3 draft: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29 -- Chris -- Chris Knadle [email protected] -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
