On Fri, Jun 06, 2025 at 05:13:05PM +0200, Cyborg via Exim-users wrote:
> Am 06.06.25 um 15:22 schrieb Viktor Dukhovni via Exim-users:
> > You have to more specific, Fedora's `s_client` is*more* restrictive
> > than OpenSSL upstream without the crypto-policy patches.
>
> but the used s_client is the Fedora s_client which was LESS restrictive....
Sorry, yes, I misspoke, the stock `s_client` offers kRSA ciphers, while
Exim (in your configuration) does not.
> I think this should be best discussed with Fedora's openssl maint or
> openssl devs, because it's a bit unlogical to not use "DEFAULT" for
> the default settings :)
Well, you *are* already talking to an OpenSSL developer. And yes this
is all expected. Part of the real problem is a misconfiguration of the
remote server, it should by now not be configured with a 1024-bit DH
group, a 2048-bit DH group is more interoperable.
On the other hand, one can reasonably argue that Exim's security level
for opportunistic TLS should be set (by default or by the MTA operator,
whicheven is applicable) to SECLEVEL ~ [01], tolerating somewhat weaker
ciphers that are still quite a bit better than cleartext. The Fedora
default security level seems to be at least "2" (roughly 112 bit, rather
than 80 bits at level 1, or no explicit floor at level 0, see
SSL_CTX_set_security_level(3)):
$ /usr/bin/openssl s_client -starttls smtp -connect mail.femobunker.com:25
-brief \
-cipher 'DEFAULT:!kRSA'
Connecting to 93.62.204.35
8072423A9D7F0000:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key
too small:ssl/statem/statem_clnt.c:2314:
$ /usr/bin/openssl s_client -starttls smtp -connect
mail.femobunker.com:25 -brief -cipher 'DEFAULT:!kRSA:@SECLEVEL=1'
Connecting to 93.62.204.35
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: DHE-RSA-AES256-GCM-SHA384
Peer certificate: CN=mail.femobunker.com
Hash used: SHA256
Signature type: RSA
Verification: OK
Server Temp Key: DH, 1024 bits
250 DSN
quit
221 2.0.0 Bye
$ /usr/bin/openssl s_client -starttls smtp -connect mail.femobunker.com:25
-brief \
-cipher 'DEFAULT:!kRSA:@SECLEVEL=0'
Connecting to 93.62.204.35
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: DHE-RSA-AES256-GCM-SHA384
Peer certificate: CN=mail.femobunker.com
Hash used: SHA256
Signature type: RSA
Verification: OK
Server Temp Key: DH, 1024 bits
250 DSN
quit
221 2.0.0 Bye
That is, even with RSA key exchance disabled, the floor on the DH key
exchange strength can reasonably be allowed to be as "weak" as 1024-bits
(80 bit security level 1).
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
