messy hodge-podge
can't argue
the sensible recipe would be:
always makes sense, once you see it.
frequently _not_ where i first land. sigh.
https://ssl-config.mozilla.org/
some ill-conceived guide that recommends a specific list ciphers.
that comment about that source is ... unexpected. but , notable advice.
Nobody has those stats
fair enough.
Broadly speaking you'll see some combinations of:
- AES-GCM at 256 or 128 bits
- ECDHE with X25519 or P-256
- DHE with some random server-selected group
- P-256 ECDSA certs
- 2048-bit RSA certs
But there's no good reason to attempt to optimise the cipherlist.
Leave the defaults be.
typically where i end up after each attempt to get a better handle on all this
-- w.r.t. smtp.
tbh in this case, it's less about 'optimizing', and more trying to use "bad, old,
outdated, weak, etc" client TLS cipher usage as a filtering mechanism.
yes, there's an assumption that no 'white hat' that i care to receive mail from would use
"bad, old, outdated, weak, etc" ciphers ... which is likely an unfortunately,
bad assumption.
as least getting the PQC up was seemingly straightforward; now to wait to see
any usage ...
cheers.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
