On Sun, Oct 13, 2019 at 09:51:42AM -0700, Phillip Carroll via Exim-users wrote:
> This thread has given me a much deeper understanding of how to manage
> cipher negotiation in exim. As a result of this thread I have adopted
> Viktor's setting for tls_require_ciphers. (Thanks Viktor)
One thing I forgot to mention is starting with OpenSSL 1.1.0, the
"ALL" and "DEFAULT" cipherlists are by default restricted further
by the "security level". The default "level 1" sets a floor of
roughly 80-bit or better security across all the various algorithms,
so you get:
- SHA1 or stronger, no MD5 in TLS or in X.509 certificate
chains other than root CA self-signatures.
- RSA with 1024-bit or longer keys in all X.509 certificates
- Diffie Hellman with 1024-bit or larger primes
- ECDSA with 160-bit or stronger curves (rarely less than 256)
- ECDHE with 160-bit or stronger curves
The security level can be specified in the cipherlist by adding
"@SECLEVEL=<n>", for a suitable choice of <n>.
With opportunistic TLS, where handshake failure falls back to
transmission in the clear, Postfix explicitly selects "@SECLEVEL=0",
removing the safety net, because even weak crypto should be better
than none. The "@SECLEVEL=1" setting only applies for destinations
for which TLS is mandatory (e.g. DANE, but also mandatory local
policy to enforce TLS encryption with or without authentication).
Exim may not have automatic tuning of the security level based on
mandatory vs. opportunistic TLS, so setting "@SECLEVEL=0" for the
smtp router, unless that router is dedicated to just opportunistic
TLS, and perhaps sites with weak DH or MD5 signatures in their RSA
certs are no longer sufficiently common to warrant accommodating.
--
Viktor.
