[postfix-users] TLS Cipher Aushandlung
Tobias Hachmer via postfix-users
postfix-users at de.postfix.org
Mi Aug 14 12:08:17 CEST 2013
Hallo Jochen,
On 14.08.2013 11:51, Jochen Fahrner via postfix-users wrote:
> Wie läuft eigentlich unter Mailservern die TLS Ciper Aushandlung ab?
>
> Habe ich als Server oder Client die Möglichkeit zu sagen: "wir nehmen
> den strengst möglichen den wir beide unterstützen"?
Auszug aus der Postfix Doku:
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list.
This is possible only with SSLv3 and later, as in SSLv2 the client
chooses the cipher from a list supplied by the server.
By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server may
choose its own most preferred cipher that is supported (offered) by the
client. Setting "tls_preempt_cipherlist = yes" enables server cipher
preferences. The default OpenSSL behavior applies with
"tls_preempt_cipherlist = no".
While server cipher selection may in some cases lead to a more secure or
performant cipher choice, there is some risk of interoperability issues.
In the past, some SSL clients have listed lower priority ciphers that
they did not implement correctly. If the server chooses a cipher that
the client prefers less, it may select a cipher whose client
implementation is flawed.
Gruß, Tobias
Mehr Informationen über die Mailingliste postfix-users