Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list

Wed, 28 Mar 2018 08:06:28 -0700 


> On Mar 28, 2018, at 3:10 AM, Konstantin Boyandin via Exim-users 
> <[email protected]> wrote:
> 
> Can someone recommend simplest ciphers selection for Exim, to exclude the 
> mentioned cipher? The settings present on cipherli.st:
> 
> tls_require_ciphers = AES128+EECDH:AES128+EDH
> openssl_options = +no_sslv2 +no_sslv3
> 
> seem kind of too strict, there were reported problems receiving email after 
> the above were put in effect.

Per RFC7435, some security is better than none, and with opportunistic security 
one should should not be too strict in disabling weak ciphers.  However, one 
should eventually disable weak ciphers which disappeared from use.   Reducing 
the attack surface is also a worthy goal.

Therefor there are some deprecated ciphers that I recommend for removal to 
Postfix users.
These should also be suitable for removal in Exim.

        MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

To exclude these, your cipherlist would be:

   DEFAULT:+RC4:!LOW:!EXPORT:!MD5:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC6

You can probably also disable RC4 if you like, its use is rather negligible,
just a handful of Microsoft Exchange 2003 systems that most people never get
email from.  For that, change "+RC4" (which moves it to the end of the list)
to "!RC4" (which disables it).

In Postfix I enable anonDH ciphers, for reasons in explained in:

   https://tools.ietf.org/html/rfc7672#section-8.2

Security scanners tend to also warn you about that, so you'd need to be willing 
to ignore any such warnings.  For that to be useful the anonymous ciphers would 
have to be preferred, and so the cipherlist becomes:

   
aNULL:-aNULL:ALL:+RC4:!LOW:!EXPORT:!MD5:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC6:@STRENGTH

Here the addition and removal of "aNULL" before including "ALL" moves the 
"aNULL"
ciphers to the front of the list, but @STRENGTH, does a stable sort by 
bit-stremgth,
so you get aNULL at the front of the list for each key length.

-- 
-- 
        Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to