On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote: > I'd make that: > > HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd > > Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.
No matter what we tell people and how much we push towards 1.0.2 as a minimum, I am confident that as long as someone can cobble together a way to keep running with OpenSSL 0.9.8 then _someone_ will do so. Thus @STRENGTH stays. I believe that !aNULL is covered by requiring verification, but sure good to disable here. The others: it's more complex knowledge of what should be put where end administrators touch things than I'm entirely comfortable with. So your string is "better" but I don't want to be putting that level of intimidating TLS configuration into our starting configuration file. Thus "HIGH:!aNULL:@STRENGTH" and _if_ I find time to work on the suggested OpenSSL integration revamp, then something which disables older versions of TLS, as for GnuTLS. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
