Re: [exim] Define preferred encryption algorithms

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Viktor Dukhovni
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Define preferred encryption algorithms
On Sun, Oct 13, 2019 at 09:51:42AM -0700, Phillip Carroll via Exim-users wrote:

> Following is the cipher list result I see on CentOS 7.7.1908
> with openssl 1:1.0.2k-19.el7:
> > [root@localhost ~]#openssl ciphers 'DEFAULT:!EXPORT:!LOW:!MEDIUM:!kECDH:!kDH:!aDSS:!PSK'|tr : '\n'
> > [...]
>
> My previous setting (last visited about 4 years ago) resulted in a list
> more than double the length of this, with some ciphers considered very
> weak included. Although, TLS connections (both directions) typically
> result in a TLS1.2 connection using one of the top ciphers in the list.
>
> I also tried adding '@STRENGTH' to the setting but found it produced the
> exact same order. Does exim add that, or does openssl automatically sort
> by strength?


In OpenSSL 1.0.0 (long time ago now), Bodo Möller implemented a
revised cipher selection mechanism that automatically results in
the "ALL" cipherlist being sorted in order of preference. (I played
a small part in encouraging him to start that work). All the other
elementary cipherlists are obtained from "ALL" by applying filters
and so, consequently, they too are sorted. In OpenSSL 1.0.x the
sort order is by cipher strength. For example, running either
OpenSSL 1.0.0 or OpenSSL 1.0.2 I get:

    $ for c in ALL DEFAULT HIGH MEDIUM AES kRSA aRSA aECDSA kEECDH
      do
    c1=$(openssl ciphers -v "$c")
    c2=$(openssl ciphers -v "$c:@STRENGTH")
    printf "%-12s %2d ciphers\n" "${c}:" "$(echo "$c1" | wc -l)"
    diff -u <(echo "$c1") <(echo "$c2")
      done
    ALL:         70 ciphers
    DEFAULT:     44 ciphers
    HIGH:        39 ciphers
    MEDIUM:      17 ciphers
    AES:         20 ciphers
    kRSA:        22 ciphers
    aRSA:        35 ciphers
    aECDSA:       5 ciphers
    kEECDH:      15 ciphers


Where none of the tested elementary cipher strings produced "diff"
output between their default value and explicitly sorted order.

In OpenSSL 1.1.x, forward-secrecy takes precedence over cipher
strength, with the PFS ciphers in key length order, and then the
non-PFS ciphers. So sorting by key length (@STRENGTH) results in
a different order, with forward-secrecy preferred only within each
key length. Eliminating the non-PFS ciphers shows no effect from
key-length sorting:

    $ for c in ALL DEFAULT HIGH MEDIUM AES aRSA aECDSA kEECDH
      do c1=$($openssl110 ciphers -v "$c":'!kDH:!kECDH:!kRSA')
    c2=$($openssl110 ciphers -v "$c":'!kDH:!kECDH:!kRSA:@STRENGTH')
    printf "%-12s %2d ciphers\n" "${c}:" "$(echo "$c1" | wc -l)"
    diff -u <(echo "$c1") <(echo "$c2")
      done
    ALL:         64 ciphers
    DEFAULT:     49 ciphers
    HIGH:        56 ciphers
    MEDIUM:       8 ciphers
    AES:         40 ciphers
    aRSA:        22 ciphers
    aECDSA:       9 ciphers
    kEECDH:      23 ciphers


-- 
    Viktor.