Author: Phil Pennock Date: To: Klaus Ethgen CC: exim-users Subject: Re: [exim] Diffie-Hellman?
On 2014-01-16 at 13:57 +0100, Klaus Ethgen wrote: > Hi folks,
>
> Am Mi den 15. Jan 2014 um 23:36 schrieb Viktor Dukhovni:
> > Note, some Debian releases patched Exim to make it "more secure",
> > thereby breaking TLS handshakes with most servers, and making Exim
> > less secure when Exim falls back to cleartext delivery.
>
> That is not true. The default of 1024 bit is insecure today. It will
> just give you false security using such a short value. So it is just
> consequent increasing the limit and not using such keys.
1024 is susceptible to brute-force attack by motivated attackers who
have resources to expend. It's not "free" to attack.
Cleartext is free to "attack", since it can be read anyway. Falling
back to cleartext is unfortunate but currently required for
interoperation. Set `hosts_require_tls` to an appropriate pattern
(perhaps `*`) for instances where this fallback should not happen.
DH with 1024 is better than cleartext. Breaking TLS negotiation is
unreasonable and it's a design flaw of TLS that this can't be negotiated
and handled better.
If you refuse to use any security which can be attacked by an acronym
agency when they turn their attention to you, opting for no security
instead, you've increased your exposure to many others. In an ideal
world, you might be protected from both, but I suggest revisiting your
threat model to determine what acceptable compromises might be.
Debian's intent was reasonable: improve available security. But the
C constant which they changed had _two_ meanings back then and they
accidentally also raised the minimum for talking to others.
If deploying DH today, deploy with 2048 bits for maximum
interoperability and require a minimum of 1024 bits when talking to
others.
> However, I did not currently check the value in debian or want to say
> any about any distributor. (I just see a general debian hate from some
> people on the list. But bashing doesn't help.)
Viktor and I worked together to diagnose interoperability problems
between Postfix installs and Exim installs caused by this Debian patch.
Viktor's not bashing, he's accurately describing what happened and
helping people get a functional secure setup for email.
(Oh, and Viktor is very active in the DANE space, as it applies to
email, and does a lot of Postfix's TLS code maintenance, so he knows
what he's talking about when it comes to email security.)