https://bugs.exim.org/show_bug.cgi?id=2872
help@novo.media changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |help@novo.media
--- Comment #3 from help@novo.media ---
Although I agree this is not a bug but a wishlist item, I also want to join
this request. For me, it is the fact that I only want to enable 256bit
encryption throughout my server - which with exim and TLSv1.3 enabled - I am
currently unable to do so. Considering that TLSv1.3 is the future and here to
stay (and a developer would consider an implementation) I kindly suggest the
double settings route (like OpenSSL itself and every other major daemon by now)
in form of cipher list and suites:
dovecot example:
ssl = yes
ssl_cert = </srv/tls/full_chain
ssl_key = </srv/tls/private_key
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl_curve_list = secp384r1
lighttpd example:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/srv/tls/full_chain"
ssl.privkey = "/srv/tls/private_key"
ssl.openssl.ssl-conf-cmd = (
"CipherString" =>
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305",
"Ciphersuites" =>
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
"Curves" => "secp384r1"
)
}
exim currently:
tls_on_connect_ports = 465
tls_certificate = /srv/tls/full_chain
tls_privatekey = /srv/tls/private_key
tls_require_ciphers =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
tls_eccurve = secp384r1
Possible exim implementation suggestion:
+tls_require_suites = ...
and
+dane_require_tls_suites = ...
Sadly I do not speak C, else I would gladly contribute. So all I am left with,
is hoping that a developer might consider it. Thanks very much.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
help@novo.media changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |help@novo.media
--- Comment #3 from help@novo.media ---
Although I agree this is not a bug but a wishlist item, I also want to join
this request. For me, it is the fact that I only want to enable 256bit
encryption throughout my server - which with exim and TLSv1.3 enabled - I am
currently unable to do so. Considering that TLSv1.3 is the future and here to
stay (and a developer would consider an implementation) I kindly suggest the
double settings route (like OpenSSL itself and every other major daemon by now)
in form of cipher list and suites:
dovecot example:
ssl = yes
ssl_cert = </srv/tls/full_chain
ssl_key = </srv/tls/private_key
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl_curve_list = secp384r1
lighttpd example:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/srv/tls/full_chain"
ssl.privkey = "/srv/tls/private_key"
ssl.openssl.ssl-conf-cmd = (
"CipherString" =>
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305",
"Ciphersuites" =>
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
"Curves" => "secp384r1"
)
}
exim currently:
tls_on_connect_ports = 465
tls_certificate = /srv/tls/full_chain
tls_privatekey = /srv/tls/private_key
tls_require_ciphers =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
tls_eccurve = secp384r1
Possible exim implementation suggestion:
+tls_require_suites = ...
and
+dane_require_tls_suites = ...
Sadly I do not speak C, else I would gladly contribute. So all I am left with,
is hoping that a developer might consider it. Thanks very much.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##