295755Re: postfix hardening - what can we do?
- Oct 4, 2013Viktor Dukhovni <postfix-users@...> writes:
>> but...the way this works: the server gets offered a list of ciphersuitesThat is interesting. I tried to preempt the cipherlist and disable ECDHE
>> from the client, and then the server picks a ciphersuite, so without
>> knowing how the server picks its ciphersuites from the client, these
>> results are not clear.
> By default the server picks the client's most preferred cipher that
> is also available on the server. You can set "tls_preempt_cipherlist
> = yes" to have the server use its most preferred cipher supported
> by the client. This could break some fragile clients that offer
> ciphers (at a low preference) whose implementation is broken.
to avoid the NIST curves, but couldn't get postfix to exclude that
cipher using smtpd_tls_exclude_ciphers. It wasn't clear to me from
the correct syntax to use there is, I tried kxECDHE but that didn't work
either. Do you what format those are specified in?
- << Previous post in topic Next post in topic >>