Re: possible to reach hardenize's requirements?

[Viktor Dukhovni]

On Fri, Apr 12, 2019 at 12:34:16PM -0400, micah anderson wrote:

> > Any reasonably recent version of OpenSSL will by default favour stronger
> > ciphers, including listing ciphers that do forward-secrecy above the rest.
> > For example, with OpenSSL 1.0.2 I get:
> 
> Indeed, you are right, if I simply set `tls_preempt_cipher_list=yes`,
> then this will work that way.

Yes, I think this is by now unlikely to cause any issues.

> > That said, I would recommend reducing the attack surface by dropping some
> > ciphers nobody is using that would not be a good idea to use:
> >
> >     smtpd_tls_exclude_ciphers = aDSS, kDH, kECDH, SEED, IDEA
> 
> what about aNULL, MD5 and DES? They seem relatively safe to disable as well

* You don't need to explicitly disable (single) DES, it is already
  taken care of by setting the cipher grade to medium (or high).
  Perhaps you meant 3DES, yes, you can add that to the list.

  I have (ditt for the client settings):

    smtpd_tls_exclude_ciphers =
            #
            # Disable MD5, DSA, SRP and PSK, and the "exotic" fixed DH cipher 
suites.
            #
            MD5, SRP, PSK, aDSS, kECDH, kDH,
            #
            # Also disable the largely unused SEED, IDEA, RC2, RC5, ...
            # leaving just AES, CAMELLIA, RC4 and 3DES.
            #
            SEED, IDEA, RC2, RC5

  I don't actually end up with 3DES or RC4, (along with RC2 or RC5)
  they're by default disabled at compile time in OpenSSL 1.1.1:

    $ openssl ciphers -ciphersuites "" -v 3DES:RC4:IDEA:SEED:RC2:RC5
    IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
    DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
    DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
    ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
    SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1

* If your cipher grade is medium, you should probably disable MD5, which
  eliminates at most two ciphers:

    $ OpenSSL_1_0_2/bin/openssl ciphers -v 'MEDIUM+MD5'
    ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
    RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

* As for aNULL, it is no longer available when TLS 1.3 is negotiated. :-(
  Recent IETF consensus is to drop ballast and batten down the
  hatches.  If your use-case is not mainstream enough, out it goes.

  That said, see https://tools.ietf.org/html/rfc7672#section-8.2

-- 
        Viktor.