Autor: Cyborg Fecha: A: exim-users Asunto: Re: [exim] Exim (aoom) named in context of new TLS cross-protocol
attack
Am 11.06.21 um 00:37 schrieb Jeremy Harris via Exim-users: > On 10/06/2021 13:52, Cyborg via Exim-users wrote:
>> After reading the paper a bit closer, rejecting the entire connection
>> when a HTTP headerline is detected,
>> seems to be only valid option here, as long as ALPN isn't implemented
>> widely.
>
> Do we need ACL-level visibilty of a synprot-rejected line?
>
don't think so, as the first line of communication will be rejected,
there is no smtp happening.
>> Heikos suggestion to set smtp_max_synprot_errors = 0 is the
>> workaround to go atm.
>
> But, ALPN implemented by what protocols?
> All, but esmtp. Thats the whole point of ALPN. "You reject whats not
intendet for you."
> The next level would be something like
> - server option hosts_require_alpn
> - client options hosts_offer_alpn, hosts_require_alpn
> And logging.
as a consequence, yes. ATM only a few others have adopted ALPN, so you
can plan and implement those features without any hurry.
I can imagine, that gnutls, libre and openssl also need time to offer
api functions to support or enable this. So it will take time anyway,
before it can be implemented fully. For the moment, a reject reaction on
any HTTP/ header or a default of 0 protocol errors would be sufficient.