Re: [exim] GnuTLS vs OpenSSL

Top Page
Delete this message
Reply to this message
Author: exim-users
Date:  
To: exim-users
Subject: Re: [exim] GnuTLS vs OpenSSL
Hi Sabahattin,

On 18.09.21 11:58, Sabahattin Gucukoglu via Exim-users wrote:
> Is there really a good reason? I do it chiefly because I like OpenSSL’s cipher selection (I want very permissive, ordered by @STRENGTH, and TLS 1.3 would be nice). There were also horror stories about RNG entropy starvation caused by GnuTLS.


I run a bunch of low volume mail servers (some thousand mails/day) with Debian standard packages and it works well for me. Never had issues with entropy starvation (I run haveged on my servers
now, but even before I did not observe any issues like this). As of now, I believe you could achieve anything you want with the GnuTLS configuration as well (some selection features were
missing some time ago), I personally use the following cipher selection:

tls_require_ciphers = PFS:SECURE256:SECURE192:-3DES-CBC:-CURVE-SECP192R1:-CURVE-SECP224R1:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-NULL:+VERS-TLS1.3:-MD5:%SERVER_PRECEDENCE:%FORCE_ETM

in the Exim configuration file. I use testssl.sh (https://testssl.sh/) to verify my configuration (as there is nothing handy like the Qualys Test for HTTPS, IMHO). Test result for the above
cipher list is:

--cut
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
 Finite field group:          ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192


Testing server preferences

 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Cipher order
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES256-CCM AES128-GCM-SHA256 AES128-CCM
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256
--cut


The documentation on https://gnutls.org/manual/html_node/Priority-Strings.html is very good. There are much more (good) examples and defaults for OpenSSL cipher strings, however the general
approach is very similar. This blog entry was a good start https://blog.lighttpd.net/gnutls-priority-strings.html, but it is quite outdated today (unfortunately).

> I appreciate that this is borderline a Debian question, but since there are presumably experienced users of both libraries here, do you think Exim+GnuTLS is actually viable and that if I were to switch to the prebuilt binaries and adapt to GnuTLSisms it would be adequate for a quiet personal server?


Last time I thought about switching to a self build with OpenSSL was, when TLS1.3 was bleeding edge and not provided by the Debian packaged GnuTLS. Did'nt do it, because security patching in
time by the distros team is a big plus (I would not be able to do this in time and quality).

Besides this: About 85% of the incoming traffic is still unencrypted (for my statistics, mainly because some high volume mailing list servers do not use TLS), about 10% uses TLS1.3, 5% still
uses TLS1.2 (I log TLS ciphers via +tls_cipher in Exim).

hth,
Thomas