>Is it possible for the client (nmh) to control which ciphers it will >negotiate with the server?
It's certainly possible for a client to specify a cipher list via the OpenSSL API. This is not a knob I have wanted to expose, though, just for the sake of complexity (the programming isn't hard; it's one API call, but all of the other stuff surrounding it would be a pain, and then there is the issue of documentation ....). But as Valdis points out, the issue really isn't the cipher list, it's TLS 1.0 itself. I'm still surprised that in 2017 the main SMTP server for a large university would support TLS 1.0 as the _highest_ protocol. I can understand supporting TLS 1.0 in addition to TLS 1.1 and 1.2 to handle support for older clients, but NOT supporting TLS 1.1 or 1.2 seems crazy to me. That almost seems like a misconfiguration to me. As Valdis's SECOND note says, the issues with TLS 1.0 have been around for a while, and I think when I wrote the nmh netsec layer that's what I had found and I figured it made sense for nmh to be up-to-date when it came to security for once. I welcome other thoughts on this topic. --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
