>>
smtpd_tls_exclude_ciphers=MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
>> smtpd_tls_mandatory_exclude_ciphers=aNULL
>
>Mostly harmless, but not necessary.
On Fri, Jan 29, 2021 at 06:53:09PM +0100, Matus UHLAR - fantomas wrote:
yes, but when the policy is encryption required for client-server
connections, aNULL would break that IIUC
- please correct me if I'm wrong
On 29.01.21 15:09, Viktor Dukhovni wrote:
You're wrong. The "a" in aNULL ciphers stands for "authentication".
These ciphers just do anonymous Diffie-Hellman, but do not authenticate
either party. They encrypt the traffic just as well as the ciphers
that present certificates that you ignore anyway.
so, the connection/encryption would work, but with aNULL will be
unauthenticated, which means certificates won't be checked?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
