Hallo Jochen,
On 14.08.2013 11:51, Jochen Fahrner via postfix-users wrote:
Wie läuft eigentlich unter Mailservern die TLS Ciper Aushandlung ab?
Habe ich als Server oder Client die Möglichkeit zu sagen: "wir nehmen den strengst möglichen den wir beide unterstützen"?
Auszug aus der Postfix Doku:
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. This is possible only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server may choose its own most preferred cipher that is supported (offered) by the client. Setting "tls_preempt_cipherlist = yes" enables server cipher preferences. The default OpenSSL behavior applies with "tls_preempt_cipherlist = no".
While server cipher selection may in some cases lead to a more secure or performant cipher choice, there is some risk of interoperability issues. In the past, some SSL clients have listed lower priority ciphers that they did not implement correctly. If the server chooses a cipher that the client prefers less, it may select a cipher whose client implementation is flawed.
Gruß, Tobias