On Tue, Oct 04, 2022 at 12:07:56AM +0000, Eddie Rowe wrote:
> > What is the client TLS security level?
>
> I was using "may" and then "encrypt", but learned I should have been
> using "verify" since this shows more information in the log files!
:-) It's not that shows "more information" in the logs, but rather it
turns on requisite verification of the peer certificate, and
consequently disables use of anonymous ciphers that might otherwise be
used (TLS 1.2 or lower, since TLS 1.3 has no anon-(EC)DHE ciphers at
present).
Also, if the server name is subject to MX lookups "verify" is subject to
MiTM MX record forgery unless you fix the match names or have DNSSEC.
In any case, the client will log "Trusted" when the certificate is
signed by a trusted CA, and "Verified" when the security level is higher
than "encrypt" and the certificate matches.
--
Viktor.
