updated cipher exclude list

Due to a bug in internet.nl, some 'insufficient' and 'phase out' algorithms were enabled but not detected (https://github.com/NLnetLabs/Internet.nl/issues/477). This lead to a false positive test result of the cipher sub test. This new cipher exclude list fixes this.
This commit is contained in:
Dennis Baaten 2020-09-23 21:58:43 +02:00 committed by GitHub
parent 970251b749
commit 435601cf34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -58,8 +58,8 @@ Under construction
# disable compression and client-initiated renegotiation # disable compression and client-initiated renegotiation
tls_ssl_options = NO_COMPRESSION, 0x40000000 tls_ssl_options = NO_COMPRESSION, 0x40000000
# disable unsecure ciphers # disable unsecure ciphers
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-AES256-CCM8, AES256-CCM8, DHE-RSA-AES128-CCM8, AES128-CCM8 smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-AES256-CCM8, AES256-CCM8, DHE-RSA-AES128-CCM8, AES128-CCM8 smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
# Enable server cipher-suite preferences # Enable server cipher-suite preferences
tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
# Forward secrecy # Forward secrecy