Re: Unusual TLS setting logged by Postfix

Tue, 22 Oct 2019 18:09:31 -0700 

On Tue, Oct 22, 2019 at 05:37:14PM -0400, J Doe wrote:

> > On Oct 22, 2019, at 1:18 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> 
> > wrote:
> > 
> >    $ openssl ciphers -stdname -s -tls1 -V AES256-SHA
> >    0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA              SSLv3 
> > Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> 
> Ah, cool - I did not realize I could use the openssl command to “translate”
> the string that way.
>
> I see the AES mode, now, but I still can’t see whether DH/DHE/ECDHE was
> used for negotiation (or am I missing that in the output) ?

You see them not used.  Kx=RSA.  See ciphers(1):

       -v  Verbose output: For each cipher suite, list details as provided by
           SSL_CIPHER_description(3).

SSL_CIPHER_description(3):

    ...

       SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to
       the method used by c. If there is no key exchange, then NID_undef is
       returned.  If any appropriate key exchange algorithm can be used (as in
       the case of TLS 1.3 cipher suites) NID_kx_any is returned. Examples
       (not comprehensive):

        NID_kx_rsa
        NID_kx_ecdhe
        NID_kx_dhe
        NID_kx_psk

    ...

       The string returned by SSL_CIPHER_description() consists of several
       fields separated by whitespace:

       <ciphername>
           Textual representation of the cipher name.

       <protocol version>
           The minimum protocol version that the ciphersuite supports, such as
           TLSv1.2.  Note that this is not always the same as the protocol
           version in which the ciphersuite was first defined because some
           ciphersuites are backwards compatible with earlier protocol
           versions.

       Kx=<key exchange>
           Key exchange method such as RSA, ECDHE, etc.

       Au=<authentication>
           Authentication method such as RSA, None, etc.. None is the
           representation of anonymous ciphers.

       Enc=<symmetric encryption method>
           Encryption method, with number of secret bits, such as AESGCM(128).

       Mac=<message authentication code>
           Message digest, such as SHA256.

       Some examples for the output of SSL_CIPHER_description():

        ECDHE-RSA-AES256-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) 
Mac=AEAD
        RSA-PSK-AES256-CBC-SHA384 TLSv1.0 Kx=RSAPSK   Au=RSA  Enc=AES(256)  
Mac=SHA384

-- 
        Viktor.

Reply via email to