On Wed, Aug 29, 2012 at 05:47:29PM +0000, Christian Weisgerber wrote: > Gilles Chehade <gil...@cvs.openbsd.org> wrote: > > > By default, it will use Blowfish in CBC mode with a different random IV for > > each envelope and message. User provided key is expanded using sha256 but a > > different cipher and digest may be specified in smtpd.conf > > I think this should default to AES-128. Introducing a new design > that uses an obsolete cipher does not strike me as a prudent approach. >
Hey, I'm no longer on a safe machine to commit, here's a diff to switch the default to AES-128 if you can commit on my behalf, otherwise I will do it tomorrow Gilles Index: parse.y =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.94 diff -u -p -r1.94 parse.y --- parse.y 29 Aug 2012 16:26:17 -0000 1.94 +++ parse.y 29 Aug 2012 18:07:03 -0000 @@ -326,7 +326,7 @@ encrypt_cipher : CIPHER STRING { $$ = $2; } | /* empty */ { - $$ = "bf-cbc"; + $$ = "aes-128-cbc"; if (EVP_get_cipherbyname($$) == NULL) { yyerror("invalid queue encrypt cipher %s", $$); YYERROR; Index: smtpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.62 diff -u -p -r1.62 smtpd.conf.5 --- smtpd.conf.5 29 Aug 2012 16:48:40 -0000 1.62 +++ smtpd.conf.5 29 Aug 2012 18:08:18 -0000 @@ -211,7 +211,7 @@ Envelopes and messages may be inspected Enable transparent encryption of all envelopes and messages using cipher .Ar algorithm , -by default Blowfish in CBC mode. +by default AES-128 in CBC mode. .Ar key is expanded internally using the .Ar digest -- Gilles Chehade https://www.poolp.org @poolpOrg