> On Apr 20, 2018, at 8:17 PM, Phil Pennock via Exim-users
> <[email protected]> wrote:
>
> .ifdef _HAVE_OPENSSL
> tls_require_ciphers = HIGH:@STRENGTH
> .endif
I'd make that:
HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd
Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.
The HIGH ciphers are only HIGH by virtue of symmetric cipher strength,
but in fact include anon-DH ciphers with strong bulk crypto, which given
the desired to authenticate the peer should not be included.
This also disables DSA which nobody uses and fixed DH/ECDH ciphers which
are not and should not be used. With OpenSSL 1.0.2 this brings the cipher
count down from 82 to 52.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
