Hi Andrew, On 18.09.21 22:45, Andrew C Aitchison via Exim-users wrote: >> I use testssl.sh (https://testssl.sh/) to verify my configuration >> (as there is nothing handy like the Qualys Test for HTTPS, IMHO). > > Hardenize https://www.hardenize.com/ is not bad.
Yes, Hardenize is a good start, I like their holistic approach. Compared to the Qualys SSL test however, the TLS information is not as detailed as it could be. >> Testing robust (perfect) forward secrecy, (P)FS -- omitting Null >> Authentication/Encryption, 3DES, RC4 >> >> PFS is offered (OK) TLS_AES_256_GCM_SHA384 >> TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 >> ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 >> ECDHE-RSA-AES128-GCM-SHA256 >> Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 >> Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 >> ffdhe8192 >> >> Testing server preferences >> >> Has server cipher order? yes (OK) -- TLS 1.3 and below >> Negotiated protocol TLSv1.3 >> Negotiated cipher TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) >> Cipher order >> TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 >> ECDHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES256-CCM AES128-GCM-SHA256 >> AES128-CCM >> TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 >> TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 > >> Besides this: About 85% of the incoming traffic is still unencrypted >> (for my statistics, mainly because some high volume mailing list >> servers do not use TLS), about 10% uses TLS1.3, 5% still uses TLS1.2 >> (I log TLS ciphers via +tls_cipher in Exim). > It looks as though you do not allow TLSv1.1 - I suspect that a substantial > faction of that 85% would use it if you allowed it. > For email it is probably better to allow TLSv1.1 than reject it > and end up receiving the message in plain. TLS1.2+ is state of the art, I intentionally disabled anything below that. That unencrypted fraction is mainly from LMKL, their host does not even try STARTTLS. Which is okay for a public mailing list server, imho. Regards, Thomas -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
