CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/27 23:06:54
Modified files:
usr.sbin/relayd: relayd.conf.5 relayd.h
Log message:
Switch the default TLS cipher set from "HIGH:!aNULL" to "secure"
The "secure" keyword only allows TLSv1.3 and the TLSv1.2 AEAD ciphers
that have forward secrecy (ECDHE/DHE). See tls_config_set_ciphers(3)
for details. This is stricter than "HIGH:!aNULL" and drops older
ciphers without AEAD or forward secrecy.
Also update the ciphers text in relayd.conf.5 with the clearer wording
from smtpd.conf.5.
Old peers that need these older ciphers may no longer connect.
idea from Mischa, ok kirill@ ok tb@