Re: [exim] Enabling ECDH

On Mon, Mar 7, 2016 at 10:39 AM, Klaus Ethgen <Klaus+exim@???> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> No comment to ECDH itself, but:
>
> Am Mo den 7. Mär 2016 um 9:50 schrieb Renaud Allard:
> > openssl_options = +no_compression +cipher_server_preference
> +single_dh_use
> > +single_ecdh_use +no_session_resumption_on_renegotiation
>
> I do not know if you really want to use +no_compression. That would make
> it easier for known plaintext attacks.
>

Uhm, are you sure you're not a bit out of date regarding TLS security?

For the past few years (2012 or so), most software disable compression to
_reduce_ the risk of known attacks, because of how compression and TLS
interoperate.

OpenSSL 1.1.0 has disabled compression by default, this is something you
need to enable manually.

The reason for this is the CRIME attack against TLS 1.0.

TLS 1.2 defaults to a "null" method that actually does no compression.

While CRIME itself isn't an SMTP attack, most security recommendations I've
ever read since 2012, recommend to _disable_ compression regardless of what
protocol is using TLS, due to the inherent risks.

If you have evidence otherwise, please share, because I (and probably many
others!) are very interested in a technical explanation of why this isn't
something to worry about.
--
Jan