On Thu, Jan 28, 2016 at 12:44:16PM -0500, Phil Pennock wrote:
> ## DH small subgroups (CVE-2016-0701)
>
> You can be vulnerable with OpenSSL 1.0.2 if the file passed to
> tls_dhparam has parameters generated in a new way, and they're dodgy
> parameters.
>
> Mitigation 1: don't do that
Note that the standard "named" DH parameters from RFC 5114 in Exim
are exactly the "dodgy" kind. However, ...
> Mitigation 2: Exim forks a new process for each inbound connection, so
> reuse of one private param seems unlikely (unless it's
> generated and cached during the initial sanity check)
It appears to me that Exim does not initialize the server-side TLS
context until STARTTLS is issued and tls_server_start() is called,
this could be problematic if it promises STARTTLS, but then can't
deliver because of configuration problems that might have been
caught with earlier initialization.
So, in this particular case, assuming that STARTTLS is always after
fork(), late initialization does appear to avoid the specific DH
reuse issue.
> Mitigation 3: Exim main config: openssl_options +single_dh_use
This also works, belt and suspenders.
> ## SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
>
> Seriously, SSLv2? I know that opportunistic encryption for MX delivery
> means "use even crap encryption, since you'd fall back to plaintext
> anyway", but SSLv2?
>
> Exim disables SSLv2 by default since 4.80, and you could use
> `openssl_options` to enable it before then. Since 4.80, you'd have to
> explicitly set `openssl_options -no_sslv2` to enable SSLv2.
Good. With the protocol disabled by default, you're covered.
--
Viktor.