On Wed, Aug 29, 2012 at 05:47:29PM +0000, Christian Weisgerber wrote:
> Gilles Chehade <gil...@cvs.openbsd.org> wrote:
>
> > By default, it will use Blowfish in CBC mode with a different random IV for
> > each envelope and message. User provided key is expanded using sha256 but a
> > different cipher and digest may be specified in smtpd.conf
>
> I think this should default to AES-128. Introducing a new design
> that uses an obsolete cipher does not strike me as a prudent approach.
>
Hey,
I'm no longer on a safe machine to commit, here's a diff to switch
the default to AES-128 if you can commit on my behalf, otherwise I
will do it tomorrow
Gilles
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.94
diff -u -p -r1.94 parse.y
--- parse.y 29 Aug 2012 16:26:17 -0000 1.94
+++ parse.y 29 Aug 2012 18:07:03 -0000
@@ -326,7 +326,7 @@ encrypt_cipher : CIPHER STRING {
$$ = $2;
}
| /* empty */ {
- $$ = "bf-cbc";
+ $$ = "aes-128-cbc";
if (EVP_get_cipherbyname($$) == NULL) {
yyerror("invalid queue encrypt cipher %s", $$);
YYERROR;
Index: smtpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.62
diff -u -p -r1.62 smtpd.conf.5
--- smtpd.conf.5 29 Aug 2012 16:48:40 -0000 1.62
+++ smtpd.conf.5 29 Aug 2012 18:08:18 -0000
@@ -211,7 +211,7 @@ Envelopes and messages may be inspected
Enable transparent encryption of all envelopes and messages
using cipher
.Ar algorithm ,
-by default Blowfish in CBC mode.
+by default AES-128 in CBC mode.
.Ar key
is expanded internally using the
.Ar digest
--
Gilles Chehade
https://www.poolp.org @poolpOrg
