Re: Disable weak TLS
- From: hugo@xxxxxxxxx (Hugo Villeneuve)
- Date: Fri, 28 Sep 2007 02:25:09 -0400
<decourl@xxxxxxxxx> wrote:
Hi,
I have a server which advertises STARTTLS and accepts TLS if the
client wishes or accepts in-the-clear otherwise. I need to be able to
disallow negotiation of weak (56 bit or below) encryption without
enforcing a TLS requirement (in-the-clear should still be fine).
Appreciate any info as the FAQ recommends this group for advanced
TLS info.
I'd go with Per, you have a strange requirement.
By default, most use the best encryption available. Does your log really
list 56 bit encryption entries?
If a client can only use 56 bit encryption, I doubt he will fail back
nicely to no starttls if you disable low grade encryption. You'll
probably have to add "Srv_Features:computername S" entries to the access
file to disable STARTTLS for certain clients.
Looking at the code, if you recompile sendmail with -D_FFR_TLS_1, you
will be able to add an "O CipherList=HIGH" options to your sendmail.cf
file to select the encryptions methods availble to the TLS engine. (See
the openssl ciphers manual page for how to write the CipherList=
string.)
I have not tested this. FFR means For Future Release. Or experimental.
Or "you're on your own".
This page explains it with siteconfig and m4 cf exemples (the proper way
to do things):
http://sial.org/howto/sendmail/cipherlist/
.
- Follow-Ups:
- Re: Disable weak TLS
- From: Per Hedeland
- Re: Disable weak TLS
- References:
- Disable weak TLS
- From: decourl
- Disable weak TLS
- Prev by Date: Re: sendmail.cf.rpmnew, but no sendmail.mc.rpmnew?
- Next by Date: Sendmail To and CC are not filled error
- Previous by thread: Re: Disable weak TLS
- Next by thread: Re: Disable weak TLS
- Index(es):
Relevant Pages
|
