[exim] DANE / TLS ciphersuite improvements

Top Page

Reply to this message
Author: Phil Pennock
Date:  
To: mje, exim-users
Old-Topics: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
Subject: [exim] DANE / TLS ciphersuite improvements
On 2018-03-28 at 21:29 -0400, Phil Pennock via Exim-users wrote:
> On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote:
> > $smtp_found_dane or something? Note that DANE support is Experimental
> > and feedback and requests are a good thing (patches even better!).
>
> Uh ... DANE graduated from Experimental, I forgot. Sorry.
>
> Am tentatively thinking that since so many other TLS-related Transport
> options are ignored under DANE, and we don't require complicated
> expansion rules, the cleanest and easiest would be to have a new option,
> `dane_require_tls_ciphers`; if unset, `tls_require_ciphers` would be
> used as the default, but if set and _IF_ DANE is in play, then this
> cipherlist would be used instead.
>
> I'll code up a strawman for consideration.


This has been merged. I wrote the feature, Jeremy wrote the tests, the
buildfarm was happy, I've merged it to master.

This should be part of the imminent feature-freeze RC and thus part of
Exim 4.91 -- probably the last thing to squeak in, but it fits as part
of Jeremy's work maturing DANE: 4.91 will be the first release where
DANE is "normal" not "experimental", with support both via OpenSSL and
GnuTLS.

SMTP Transport option dane_require_tls_ciphers -- exactly the same as
tls_require_ciphers and falls back to tls_require_ciphers appropriately.
Use it to specify a different cipher list for when DANE is in play.

This makes it easier to be much stricter for hosts which appear to be
doing security right, and where there is no plaintext fallback.

With GnuTLS, where the string is interpreted as a "priority string", you
can also turn on and off TLS/SSL protocol versions as part of the
option. With OpenSSL, it's just ciphersuites.

Have fun!
-Phil