Is it possible for the client (nmh) to control which ciphers it will
negotiate with the server?
It's certainly possible for a client to specify a cipher list via the
OpenSSL API. This is not a knob I have wanted to expose, though, just
for the sake of complexity (the programming isn't hard; it's one API
call, but all of the other stuff surrounding it would be a pain, and
then there is the issue of documentation ....).
But as Valdis points out, the issue really isn't the cipher list, it's
TLS 1.0 itself. I'm still surprised that in 2017 the main SMTP server
for a large university would support TLS 1.0 as the _highest_ protocol.
I can understand supporting TLS 1.0 in addition to TLS 1.1 and 1.2 to
handle support for older clients, but NOT supporting TLS 1.1 or 1.2
seems crazy to me. That almost seems like a misconfiguration to me.
As Valdis's SECOND note says, the issues with TLS 1.0 have been around
for a while, and I think when I wrote the nmh netsec layer that's what
I had found and I figured it made sense for nmh to be up-to-date when
it came to security for once.
I welcome other thoughts on this topic.
--Ken
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers