https://bugs.exim.org/show_bug.cgi?id=2872
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from [email protected] --- Although I agree this is not a bug but a wishlist item, I also want to join this request. For me, it is the fact that I only want to enable 256bit encryption throughout my server - which with exim and TLSv1.3 enabled - I am currently unable to do so. Considering that TLSv1.3 is the future and here to stay (and a developer would consider an implementation) I kindly suggest the double settings route (like OpenSSL itself and every other major daemon by now) in form of cipher list and suites: dovecot example: ssl = yes ssl_cert = </srv/tls/full_chain ssl_key = </srv/tls/private_key ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl_curve_list = secp384r1 lighttpd example: $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/srv/tls/full_chain" ssl.privkey = "/srv/tls/private_key" ssl.openssl.ssl-conf-cmd = ( "CipherString" => "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305", "Ciphersuites" => "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256", "Curves" => "secp384r1" ) } exim currently: tls_on_connect_ports = 465 tls_certificate = /srv/tls/full_chain tls_privatekey = /srv/tls/private_key tls_require_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 tls_eccurve = secp384r1 Possible exim implementation suggestion: +tls_require_suites = ... and +dane_require_tls_suites = ... Sadly I do not speak C, else I would gladly contribute. So all I am left with, is hoping that a developer might consider it. Thanks very much. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
