On Sun, Oct 13, 2019 at 09:51:42AM -0700, Phillip Carroll via Exim-users wrote:
> Following is the cipher list result I see on CentOS 7.7.1908
> with openssl 1:1.0.2k-19.el7:
> > [root@localhost ~]#openssl ciphers 'DEFAULT:!EXPORT:!LOW:!MEDIUM:!kECDH:!kDH:!aDSS:!PSK'|tr : '\n'
> > [...]
>
> My previous setting (last visited about 4 years ago) resulted in a list
> more than double the length of this, with some ciphers considered very
> weak included. Although, TLS connections (both directions) typically
> result in a TLS1.2 connection using one of the top ciphers in the list.
>
> I also tried adding '@STRENGTH' to the setting but found it produced the
> exact same order. Does exim add that, or does openssl automatically sort
> by strength?
In OpenSSL 1.0.0 (long time ago now), Bodo Möller implemented a
revised cipher selection mechanism that automatically results in
the "ALL" cipherlist being sorted in order of preference. (I played
a small part in encouraging him to start that work). All the other
elementary cipherlists are obtained from "ALL" by applying filters
and so, consequently, they too are sorted. In OpenSSL 1.0.x the
sort order is by cipher strength. For example, running either
OpenSSL 1.0.0 or OpenSSL 1.0.2 I get:
$ for c in ALL DEFAULT HIGH MEDIUM AES kRSA aRSA aECDSA kEECDH
do
c1=$(openssl ciphers -v "$c")
c2=$(openssl ciphers -v "$c:@STRENGTH")
printf "%-12s %2d ciphers\n" "${c}:" "$(echo "$c1" | wc -l)"
diff -u <(echo "$c1") <(echo "$c2")
done
ALL: 70 ciphers
DEFAULT: 44 ciphers
HIGH: 39 ciphers
MEDIUM: 17 ciphers
AES: 20 ciphers
kRSA: 22 ciphers
aRSA: 35 ciphers
aECDSA: 5 ciphers
kEECDH: 15 ciphers
Where none of the tested elementary cipher strings produced "diff"
output between their default value and explicitly sorted order.
In OpenSSL 1.1.x, forward-secrecy takes precedence over cipher
strength, with the PFS ciphers in key length order, and then the
non-PFS ciphers. So sorting by key length (@STRENGTH) results in
a different order, with forward-secrecy preferred only within each
key length. Eliminating the non-PFS ciphers shows no effect from
key-length sorting:
$ for c in ALL DEFAULT HIGH MEDIUM AES aRSA aECDSA kEECDH
do c1=$($openssl110 ciphers -v "$c":'!kDH:!kECDH:!kRSA')
c2=$($openssl110 ciphers -v "$c":'!kDH:!kECDH:!kRSA:@STRENGTH')
printf "%-12s %2d ciphers\n" "${c}:" "$(echo "$c1" | wc -l)"
diff -u <(echo "$c1") <(echo "$c2")
done
ALL: 64 ciphers
DEFAULT: 49 ciphers
HIGH: 56 ciphers
MEDIUM: 8 ciphers
AES: 40 ciphers
aRSA: 22 ciphers
aECDSA: 9 ciphers
kEECDH: 23 ciphers
--
Viktor.
