Re: tls_high_cipherlist with !SEED is ignored

Wietse Venema Tue, 15 Jan 2019 07:01:46 -0800

stefan Bauer:
> Nessus reports for example TLS_RSA_WITH_SEED_CBC_SHA as weak on our
> submission port. So i was using the following to disable all SEED ciphers
> on submission port but it has no effect:
> 
>  -o smtpd_tls_mandatory_ciphers=high
>  -o tls_preempt_cipherlist=yes
>  -o
> tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S
> HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA


I see no evidence that smtpd is using mandatory TLS, which I think
is a prerequisite for the above settings to have an observable effect.

        Wietse

Re: tls_high_cipherlist with !SEED is ignored

Reply via email to