Re: [exim] REPOST: Possible TLS weakness in Exim? (to be not…

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Mark Nipper
Fecha:  
A: Ralf G. R. Bergs
Cc: exim-users
Asunto: Re: [exim] REPOST: Possible TLS weakness in Exim? (to be noticed with Opera and Exim 4.50 from Debian stable)
On 04 Dec 2006, Ralf G. R. Bergs wrote:
> <quote>
> The server selected an encryption method that uses RSA combined with
> Ephermal (dynamic) Diffie-Hellman (DHE), a method which uses short-lived
> (temporary) Diffie-Hellman keys authenticated by a signature from the
> RSA key.
>
> I have seen a couple of servers that uses a default DHE length of 512
> bit or less (I once saw one sending a 256(!) bit key). Such keylengths
> (<900 bits) are far too short to provide any significant security.
>
> I suggest that you check the DHE key-generation configuration of the
> SMTP server.
>
> IMO the length of that key should match the keylength of the
> certificate, but to get level 3 encryption it must be at least 1024 bits
> long.
> </quote>


        I'm certainly no expert on this either, but you can
change the list of ciphers which exim uses at run-time.  Assuming
you are using OpenSSL, see:
---
http://www.exim.org/exim-html-4.63/doc/html/spec_html/ch38.html#SECTreqciphssl


        Specifically, the option tls_require_ciphers can be set
to pretty much any of the options listed at:
---
http://www.openssl.org/docs/apps/ciphers.html


        You might try the "HIGH" option to see if anything
changes on Opera's side.  Otherwise, you will probably have to be
more specific and select from the exact cipher suites listed
below the more generic lists.


-- 
Mark Nipper                                                e-contacts:
4320 Milam Street                                   nipsy@???
Bryan, Texas 77801-3920                     http://nipsy.bitgnome.net/
(979)575-3193                      AIM/Yahoo: texasnipsy ICQ: 66971617


-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GG/IT d- s++:+ a- C++$ UBL++++$ P--->+++ L+++$ !E---
W++(--) N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--)
Y+ PGP t+ 5 X R tv b+++@ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
Information flows into the public domain as water to the sea.
Copyright is an increasingly ineffectual dam.
----end random quote of the moment----