[exim] some OpenSSL topics

Top Pagina
Delete this message
Reply to this message
Auteur: Wolfgang Breyha
Datum:  
Aan: exim-users@exim.org
Onderwerp: [exim] some OpenSSL topics
Hi!

I'm currently trying to get my exim/openssl installation "right".

*) One thing I noticed is that openssl 1.0.1e sets:
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
 *             This used to be 0x000FFFFFL before 0.9.7. */
#define SSL_OP_ALL                                      0x80000BFFL


Since exim uses SSL_OP_ALL as "all" as well it isn't "all" anymore.

Negating the defaults (eg. no_sslv2) with "-all" as documented in
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html#SECTalomo
wont work.

*) Another thing I'm currently trying to achieve is a preferred cipher list
preferring PFS with ECDHE first, DHE second, no PFS last.
I use
openssl_options = +no_sslv2 +no_compression +cipher_server_preference
+single_dh_use +single_ecdh_use
tls_require_ciphers = ECDH:kEDH:HIGH:RC4-SHA:!PSK:!KRB5:!aNULL:!MD5:!DES

But still, ECDHE ciphers are not used if exim is in server mode. "openssl
ciphers" with the upper selection outputs:
ECDHE-RSA-AES256-GCM-SHA384:....:ECDHE-RSA-AES256-SHA384:....:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:....

If I connect to this server with the same openssl libraries using:
openssl s_client -starttls smtp -connect <host>:25 -cipher
'ECDH:kEDH:HIGH:RC4-SHA:!PSK:!KRB5:!aNULL:!MD5:!DES'
I get
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384


Exim Debug output shows:
16855 openssl option, adding from 1000000: 1000000 (no_sslv2)
16855 openssl option, adding from 1000000: 20000 (no_compression)
16855 openssl option, adding from 1020000: 400000 (cipher_server_preference)
16855 openssl option, adding from 1420000: 100000 (single_dh_use)
16855 openssl option, adding from 1520000: 80000 (single_ecdh_use)
16855 setting SSL CTX options: 0x15a0000
...
16855 required ciphers: ECDH:kEDH:HIGH:RC4-SHA:!PSK:!KRB5:!aNULL:!MD5:!DES
...
16855 SSL_accept was successful
16855 Cipher: TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256
16855 Shared ciphers: <exactly the same ciphers as "openssl ciphers" shows...
including
ECDHE-RSA-AES256-GCM-SHA384:....:ECDHE-RSA-AES256-SHA384:....:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:....>

Same s_client to GMX uses:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384


If I use -cipher 'ECDHE-RSA-AES256-GCM-SHA384' on the upper exim I get "no
shared ciphers found"!?

I can't figure out why!? Is there something missing in exim openssl code to
support ECDH?

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria