[exim] REPOST: Possible TLS weakness in Exim? (to be noticed…

Etusivu
Poista viesti
Vastaa
Lähettäjä: Ralf G. R. Bergs
Päiväys:  
Vastaanottaja: exim-users
Aihe: [exim] REPOST: Possible TLS weakness in Exim? (to be noticed with Opera and Exim 4.50 from Debian stable)
Hi there,

I recently noticed the following problem:

<quote>
I'm running a (Debian stable) server of my own with a free cert from
cacert.org.

I've imported the root CA to Opera, and https is fine -- no warnings
whatsoever. I'm also running an IMAP server (Courier) with TLS, no
problems here either.

BUT there is a problem with SMTP using Exim 4.50. Opera keeps
complaining that my server was using a short public key which is unsafe.
Why is this??? I'm using 4096 bit RSA.

[...]

If I force Opera to accept the certificate anyway (I can't "install" it
by any means, but have to click "accept" each time I try to send a
message), Opera is able to connect to the mail server. Exim logs
"TLS-1.0:RSA_AES_256_CBC_SHA:32" as the crypto suite used.
</quote>

I posted about this problem into the Opera forum (see
http://my.opera.com/community/forums/topic.dml?id=167205), and received
the following reply from one of the Opera developers:

<quote>
The server selected an encryption method that uses RSA combined with
Ephermal (dynamic) Diffie-Hellman (DHE), a method which uses short-lived
(temporary) Diffie-Hellman keys authenticated by a signature from the
RSA key.

I have seen a couple of servers that uses a default DHE length of 512
bit or less (I once saw one sending a 256(!) bit key). Such keylengths
(<900 bits) are far too short to provide any significant security.

I suggest that you check the DHE key-generation configuration of the
SMTP server.

IMO the length of that key should match the keylength of the
certificate, but to get level 3 encryption it must be at least 1024 bits
long.
</quote>

The binary has been built by the Debian guys with GnuTLS support.

Unfortunately I'm not deep enough into crypto programming to have a look
at the source myself, but what the Opera developer wrote sounds
reasonable to me.

Can anyone comment on this?

Thanks,

Ralf