On Tue, Oct 15, 2013 at 01:08:48PM +0200, Wolfgang Breyha wrote:
> Viktor Dukhovni wrote, on 15.10.2013 02:42:
> > On Mon, Oct 14, 2013 at 05:52:19PM +0200, Wolfgang Breyha wrote:
> >> tls_require_ciphers = ECDH:kEDH:HIGH:RC4-SHA:!PSK:!KRB5:!aNULL:!MD5:!DES
> >
> > This cipher preference is broken. Exim SHOULD NOT encourage users
> > to attempt to manually tweak OpenSSL cipherlists, even modestly
> > clueful users get this badly wrong.
>
> Exim never encouraged users to do so. Can you be a little bit more specific
> why this cipher list is "broken"? At least the output of "openssl ciphers"
> doesn't look that "broken".
- The cipher-list is not sorted by key length, weak ECDH ciphers are listed
ahead of stronger EDH or non-PFS ciphers. For example:
ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
- The ECDH and kEDH ciphers you include are not necessarily "HIGH", and I
believe you're trying to restrict the cipherlist to just HIGH grade
ciphers plus else RC4-SHA.
- The ECDH cipher category is not the same as kEECDH (which is what you want
for PFS). It includes many non-PFS ciphers:
$ openssl ciphers -v 'ECDH:!kEECDH:!kEDH'
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256)
Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256)
Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)
Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128)
Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128)
Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)
Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1
ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1
- I could describe other problems, but the above are enough.
This cipher list is clearly the result of an incomplete understanding
of the OpenSSL cipherlist syntax. And yet you're not a novice
user. Hence my contention that the OpenSSL cipher syntax is for
OpenSSL experts only, applications should not expose it directly
to users.
[ Postfix has cipher grades (null, export, low, medium, high), users
choose one of these, and leave the underlying cipherlists alone! ]
--
Viktor.