Re: [exim] Define preferred encryption algorithms
On Sun, Oct 13, 2019 at 06:43:48PM +0100, Jeremy Harris via Exim-users wrote: > Poking around the openssl sources I find a "Changes" note: > the definition for "DEFAULT" > (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but > remains equivalent to > "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH" That note is not (or is no longer) accurate, the resulting order is not the same. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Define preferred encryption algorithms
On Sun, Oct 13, 2019 at 09:51:42AM -0700, Phillip Carroll via Exim-users wrote: > This thread has given me a much deeper understanding of how to manage > cipher negotiation in exim. As a result of this thread I have adopted > Viktor's setting for tls_require_ciphers. (Thanks Viktor) One thing I forgot to mention is starting with OpenSSL 1.1.0, the "ALL" and "DEFAULT" cipherlists are by default restricted further by the "security level". The default "level 1" sets a floor of roughly 80-bit or better security across all the various algorithms, so you get: - SHA1 or stronger, no MD5 in TLS or in X.509 certificate chains other than root CA self-signatures. - RSA with 1024-bit or longer keys in all X.509 certificates - Diffie Hellman with 1024-bit or larger primes - ECDSA with 160-bit or stronger curves (rarely less than 256) - ECDHE with 160-bit or stronger curves The security level can be specified in the cipherlist by adding "@SECLEVEL=", for a suitable choice of . With opportunistic TLS, where handshake failure falls back to transmission in the clear, Postfix explicitly selects "@SECLEVEL=0", removing the safety net, because even weak crypto should be better than none. The "@SECLEVEL=1" setting only applies for destinations for which TLS is mandatory (e.g. DANE, but also mandatory local policy to enforce TLS encryption with or without authentication). Exim may not have automatic tuning of the security level based on mandatory vs. opportunistic TLS, so setting "@SECLEVEL=0" for the smtp router, unless that router is dedicated to just opportunistic TLS, and perhaps sites with weak DH or MD5 signatures in their RSA certs are no longer sufficiently common to warrant accommodating. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Define preferred encryption algorithms
On Sun, Oct 13, 2019 at 09:51:42AM -0700, Phillip Carroll via Exim-users wrote:
> Following is the cipher list result I see on CentOS 7.7.1908
> with openssl 1:1.0.2k-19.el7:
> > [root@localhost ~]#openssl ciphers
> > 'DEFAULT:!EXPORT:!LOW:!MEDIUM:!kECDH:!kDH:!aDSS:!PSK'|tr : '\n'
> > [...]
>
> My previous setting (last visited about 4 years ago) resulted in a list
> more than double the length of this, with some ciphers considered very
> weak included. Although, TLS connections (both directions) typically
> result in a TLS1.2 connection using one of the top ciphers in the list.
>
> I also tried adding '@STRENGTH' to the setting but found it produced the
> exact same order. Does exim add that, or does openssl automatically sort
> by strength?
In OpenSSL 1.0.0 (long time ago now), Bodo Möller implemented a
revised cipher selection mechanism that automatically results in
the "ALL" cipherlist being sorted in order of preference. (I played
a small part in encouraging him to start that work). All the other
elementary cipherlists are obtained from "ALL" by applying filters
and so, consequently, they too are sorted. In OpenSSL 1.0.x the
sort order is by cipher strength. For example, running either
OpenSSL 1.0.0 or OpenSSL 1.0.2 I get:
$ for c in ALL DEFAULT HIGH MEDIUM AES kRSA aRSA aECDSA kEECDH
do
c1=$(openssl ciphers -v "$c")
c2=$(openssl ciphers -v "$c:@STRENGTH")
printf "%-12s %2d ciphers\n" "${c}:" "$(echo "$c1" | wc -l)"
diff -u <(echo "$c1") <(echo "$c2")
done
ALL: 70 ciphers
DEFAULT: 44 ciphers
HIGH:39 ciphers
MEDIUM: 17 ciphers
AES: 20 ciphers
kRSA:22 ciphers
aRSA:35 ciphers
aECDSA: 5 ciphers
kEECDH: 15 ciphers
Where none of the tested elementary cipher strings produced "diff"
output between their default value and explicitly sorted order.
In OpenSSL 1.1.x, forward-secrecy takes precedence over cipher
strength, with the PFS ciphers in key length order, and then the
non-PFS ciphers. So sorting by key length (@STRENGTH) results in
a different order, with forward-secrecy preferred only within each
key length. Eliminating the non-PFS ciphers shows no effect from
key-length sorting:
$ for c in ALL DEFAULT HIGH MEDIUM AES aRSA aECDSA kEECDH
do c1=$($openssl110 ciphers -v "$c":'!kDH:!kECDH:!kRSA')
c2=$($openssl110 ciphers -v "$c":'!kDH:!kECDH:!kRSA:@STRENGTH')
printf "%-12s %2d ciphers\n" "${c}:" "$(echo "$c1" | wc -l)"
diff -u <(echo "$c1") <(echo "$c2")
done
ALL: 64 ciphers
DEFAULT: 49 ciphers
HIGH:56 ciphers
MEDIUM: 8 ciphers
AES: 40 ciphers
aRSA:22 ciphers
aECDSA: 9 ciphers
kEECDH: 23 ciphers
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Define preferred encryption algorithms
On 13/10/2019 17:51, Phillip Carroll via Exim-users wrote: > I also tried adding '@STRENGTH' to the setting but found it produced the > exact same order. Does exim add that, or does openssl automatically sort > by strength? Exim takes no special action. Poking around the openssl sources I find a "Changes" note: the definition for "DEFAULT" (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH" -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Define preferred encryption algorithms
On 10/11/2019 2:55 AM, Jeremy Harris via Exim-users wrote: The openssl_options are fed to the SSL_CTX_set_options() interface (via some fairly-obvious processing). The tls_require_ciphers is fed to SSL_CTX_set_cipher_list(). http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphssl talks about order of the list of ciphers, which to me implies that the library uses that order as a preference. -- Cheers, Jeremy @Jeremy: Apparently IBM agrees with your interpretation: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.15/gtpc2/cpp_ssl_ctx_set_cipher_list.html Note what IBM support says: "You must specify the ciphers in order of preference from highest to lowest." This thread has given me a much deeper understanding of how to manage cipher negotiation in exim. As a result of this thread I have adopted Viktor's setting for tls_require_ciphers. (Thanks Viktor) Following is the cipher list result I see on CentOS 7.7.1908 with openssl 1:1.0.2k-19.el7: [root@localhost ~]#openssl ciphers 'DEFAULT:!EXPORT:!LOW:!MEDIUM:!kECDH:!kDH:!aDSS:!PSK'|tr : '\n' ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA CAMELLIA128-SHA My previous setting (last visited about 4 years ago) resulted in a list more than double the length of this, with some ciphers considered very weak included. Although, TLS connections (both directions) typically result in a TLS1.2 connection using one of the top ciphers in the list. I also tried adding '@STRENGTH' to the setting but found it produced the exact same order. Does exim add that, or does openssl automatically sort by strength? Phil Carroll -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
