On Sat, Apr 9, 2016, at 12:27 PM, Viktor Dukhovni wrote: > The most recently removed ciphers are at the front of the list when > ciphers are restored. Therefore, "aNULL:-aNULL:ALL:@STRENGTH" is > different from "ALL:@STRENGTH" in that at any given strength the > aNULL ciphers are listed first. There's not much point in enabling > aNULL ciphers if they are not used when supported at both ends (and > the client is ignoring any server certificate anyway). > > % bash > $ diff -u \ > <(openssl ciphers -v ALL:@STRENGTH) \ > <(openssl ciphers -v aNULL:-aNULL:ALL:@STRENGTH) ...
Ok, that's dense. I clearly need to read some more. I simply don't get what the intent of that^ is. I thought 'NULL' were "a bad thing", and that we shouldn't be using them at all. Digging in various places, I've found a number of examples that had something close to smtp_tls_ciphers = medium smtpd_tls_ciphers = medium smtp_tls_exclude_ciphers = aDH, aDSS, aECDH, EXPORT, kDHd, kDHr, kECDHe, kECDHr, KRB5, LOW, MD5, PSK, RC2, RC5 smtpd_tls_exclude_ciphers = EXPORT, IDEA, LOW, MD5, RC2 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium those^ exclude lists are aggregated of what I've found so far. I'm reading up on each of them. What I want to get to is to make sure that the "bad" ciphers are NOT enable/used. Since I didn't think we should be using NULL-anything, I expected to see 'medium' NOT using them at all. I guess we're not here^, but I still can't understand why we ENABLE them first, & why that's a good thing. Jason
