On Fri, Mar 06, 2020 at 12:26:06AM +0100, ratatouille wrote:
> I have just too TLSv1 connections this month:
> ...
> 11 TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)
> 9 TLSv1.2 with cipher CAMELLIA256-SHA (256/256 bits)
> 9 TLSv1.2 with cipher CAMELLIA128-SHA (128/128 bits)
> 9 TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> 8 TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
> 8 TLSv1.1 with cipher AES256-SHA (256/256 bits)
> 8 TLSv1.1 with cipher AES128-SHA (128/128 bits)
> 7 TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
> 7 TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA (128/128 bits)
> 7 TLSv1.1 with cipher DHE-RSA-AES128-SHA (128/128 bits)
> 7 TLSv1.1 with cipher CAMELLIA256-SHA (256/256 bits)
> 7 TLSv1.1 with cipher CAMELLIA128-SHA (128/128 bits)
> 4 TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA (112/168 bits)
> 2 TLSv1.2 with cipher DES-CBC3-SHA (112/168 bits)
> 1 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> 1 TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
That's two out of not very many total, are these actual message
deliveries, or just probes (tests)?
> > If not, then perhaps disabling TLSv1 will be harmless, but if you do,
> > perhaps prod the senders to upgrade first, before you prevent them
> > from establishing TLS connections to your MTA.
>
> internet.nl says TLS 1.1 should be phased out and criticises this.
Just because they say it, doesn't mean it is actually the wise thing to do.
> It also critcises the key exchange paramert DH-4096 as insufficient
See above.
> I just created that key and made it available with
> smtpd_tls_dh1024_param_file = ${config_directory}/dh_4096.pem
Frankly, 2048-bit DH is quite sufficient, and 4096 is slow, and not be
supported in some client stacks.
> Ok, thank you very much! Competent as always. I'll keep TLSv1 enabled
> for now.
You can keep an eye on your logs and decide when it is time to drop
support. The most important thing is supporting stronger options that
most clients will negotiate. Removing weaker options is less of a
priority except when they enable a downgrade attack.
In the case of TLSv1 there's no known (to me anyway) downgrade attack
from TLSv1.2. SMTP MTAs don't do TLS version fallback, like browsers
used to do. There's no urgent need to drop support TLSv1 inbound.
Just make sure that you support at least TLSv1.2, and ignore the
checklists that try to shame you for leaving TLSv1 enabled.
--
Viktor.
