[exim] DANE-TA(2) private CAs and SHA-1

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: [exim] DANE-TA(2) private CAs and SHA-1
By using DANE-TA(2) TLSA records you can associate your SMTP server
with a either a public or private (your own) issuer CA. This can
simplify the management of TLSA records of multiple MX hosts by
using a CNAME to a common location where you publish the shared CA
key hash.

Some care needs to be take to make sure that certificate chains
issued by a private CA can be successfully validated by correctly
configured DANE TLS clients.

    1.  Make sure the MX hostname of the end-entity server is one of the
    names in the subjectAltName extension of the server certificate.
    This is optional for DANE-EE(3), but is required for DANE-TA(2).


    Some MX hosts are known by different names when serving
    different domains.  I don't recommend this, but can't stop
    you from doing it.  In that case, all the names should
    appear in the certificate, or (if using server-side SNI)
    each name should appear in the corresponding certificate.


    2.  Make sure that the server certificate is replaced in a
    timely manner before it expires.  This is also optional
    with DANE-EE(3), and required with DANE-TA(2).


    3.  [The motivation for this message].  Use broadly accepted
    cryptographic algorithms and parameters.  For example,
    recent versions of GnuTLS by default no longer accept SHA-1
    signatures in certificate chains.  Some versions of Exim
    that support DANE are linked with GnuTLS, and the Exim
    maintainers are not presently inclined to re-enable SHA-1
    support.  Therefore, sites using private CAs with SHA-1
    signatures may encounter problems receiving some email.
    (Public CA/B forum CAs no longer issue SHA-1 certificates.)


    For best interoperability use the SHA256 digest algorithm
    in certificate signatures.


    For best interoperability, use RSA key sizes of at least 1280 bits,
    and no more than 4096.  The most common choice is 2048-bits.


    For ECDSA, stick with NIST P-256 (OpenSSL names for this
    ECDSA curve are prime256v1 and secp256r1).


Today (after most of the small number of domains using SHA-1 with
private CAs re-issued their certificates) the DANE survey finds
only one MX host of one domain with SHA-1 private-CA signatures:

    semidefinite.de. IN MX 10 mail.semidefinite.de.


so the impact of the GnuTLS policy is low. With a bit of luck,
this post will help others avoid the same issue, and perhaps
also the postmaster of the above domain will see it on one
of the dane-users, postfix-users or exim-users lists, so the
number of affected domains may soon be zero.

-- 
    Viktor.