Re: [exim] Expiriences with TLS 1.3

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Expiriences with TLS 1.3
> On Jan 28, 2019, at 6:56 AM, Jeremy Harris via Exim-users <exim-users@???> wrote:
>
>> is anyone of you running TLS 1.3 already ?
>
> It functions fine in the Exim regression-test suite,
> on systems having suitable library support.
>
> I've not seen any such connections in production yet.


As part of the DANE adoption survey I record the negotiated TLS
version for the various MX hosts involved.

Out of 9287 IP endpoints, the top 10 TLS protocol + cipher counts
were:

5765     TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
 955     TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,X25519
 554     TLS = TLS13 with AES256GCM-SHA384,X25519,RSA
 548     TLS = TLS12 with DHE-RSA-AES256GCM-SHA384
 398     TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P384
 156     TLS = TLS13 with AES256GCM-SHA384,P256,RSA
 130     TLS = TLS12 with ECDHE-RSA-AES128GCM-SHA256,P256
 117     TLS = TLS13 with AES256GCM-SHA384,P384,RSA
  86     TLS = TLS13 with CHACHA20POLY1305-SHA256,X25519,RSA
  76     TLS = TLS12 with ECDHE-RSA-CHACHA20POLY1305-SHA256,P384


So TLS 1.3 is getting used. For example, at udmedia.de which handles
over 20k customer DANE domains and vevida.com which handles over 30k
customer domains. DANE domains with TLS 1.3 that exchange enough email
volume with Gmail to appear in Google's email transparency report include:

univie.ac.at
open.ch
vevida.com
ruhr-uni-bochum.de
xs4all.nl
freebsd.org

-- 
    Viktor.