We had an auditor that stated that our stock compiled UW imapd allows low-grade ciphers (64-bit key length and below), and was asked to disabled this.
After poking around a bit, I encountered: imap-2006a/src/osdep/unix/ssl_unix.c:#define SSLCIPHERLIST "ALL:!LOW" which is fed to SSL_CTX_set_cipher_list(). It is my understanding that this will only disable LOW-grade ciphers (56 and 64-bit ciphers), while still allowing EXPORT-grade ciphers (at least the 40-bit ciphers). I could be wrong here. This also assumes that OpenSSL was compiled without any effort to disable any ciphers. Shouldn't SSLCIPHERLIST by default be "ALL:!LOW:!EXP" in so that all ciphers with a key-length of less than or equal to 64-bits are disabled? Thanks, Jorgen -- _______________________________________________________________________ Jorgen Wahlsten phone: +1-212-522-6194 Principal Systems Engineer AIM: jorgenwahlsten Time Inc. Internet Technologies YIM: jorgenwahlsten http://www.time.com/time/ ICQ: 171198501 _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu https://mailman1.u.washington.edu/mailman/listinfo/imap-uw