diff options
author | Phil Pennock <pdp@exim.org> | 2018-04-15 17:45:48 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2018-04-15 17:45:48 -0400 |
commit | d9594575683785c7125c5fd1a15c8346a6f8b82b (patch) | |
tree | d4b6525842db56d8ffb4a1962b80834c848f49d2 /doc/doc-txt/openssl.txt | |
parent | 777e3beace88a39457ee4a856a094e16649f333f (diff) |
Enable weak/old stuff in OpenSSL
Configure OpenSSL with:
enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
Include explanation as to why.
Diffstat (limited to 'doc/doc-txt/openssl.txt')
-rw-r--r-- | doc/doc-txt/openssl.txt | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/doc/doc-txt/openssl.txt b/doc/doc-txt/openssl.txt index 7bcd47907..3efa8337f 100644 --- a/doc/doc-txt/openssl.txt +++ b/doc/doc-txt/openssl.txt @@ -28,6 +28,27 @@ Fortunately, this is easy. So this only applies if you build Exim yourself. +Insecure versions and ciphers +----------------------------- + +Email delivery to MX hosts is usually done with automatic fallback to +plaintext if TLS could not be negotiated. There are good historical reasons +for this. You can and should avoid it by using DNSSEC for signing your DNS +and publishing TLSA records, to enable "DANE" security. This signals to +senders that they should be able to verify your certificates, and that they +should not fallback to cleartext. + +In the absence of DANE, trying to increase the security of TLS by removing +support for older generations of ciphers and protocols will actually _lower_ +the security, because the clients fallback to plaintext and retry anyway. As +a result, you should give serious thought to enabling older features which are +no longer default in OpenSSL. + +The examples below explicitly enable ssl3 and weak ciphers. + +We don't like this, but reality doesn't care and is messy. + + Build ----- @@ -45,7 +66,8 @@ will try to use the new OpenSSL, then stick to something like ./config --prefix=/opt/openssl --openssldir=/etc/ssl \ -L/opt/openssl/lib -Wl,-R/opt/openssl/lib \ - enable-ssl-trace shared + enable-ssl-trace shared \ + enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers make make install |