Re: [exim] GnuTLS vs OpenSSL

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] GnuTLS vs OpenSSL
On Mon, Sep 20, 2021 at 12:12:02PM +0200, exim-users--- via Exim-users wrote:

> > There's little to nothing particularly wrong with TLS 1.0 for SMTP,
> > and certainly nothing that's fixed in TLS 1.1, so if the floor isn't
> > TLS 1.2 it should be 1.0 (I still recommend leaving it enabled for
> > now).
>
> TLS 1.0 and 1.1 have been deprecated for HTTPS (at least practically,
> since modern browsers stopped supporting it last year and IETF
> formally deprecated 1.0 and 1.1 March 2021) and TLS 1.2 is out for
> more than 10 years.


Yes, that's because the relevant attacks are browser-related. Hence
the /for SMTP/ qualification.

> Any site, that does not support at least TLS 1.2 is running absolutely
> outdated software. GnuTLS handshake errors are logged very few times
> (<<1% of the messages), I suppose that enabling TLS1.1 and lower would
> not increase encrypted connections very much.


Indeed, but my take is that some encryption is better than no
encryption, see <https://datatracker.ietf.org/doc/html/rfc7435>.

> Anyway: My main goal is to protect credentials of my users, if I would
> enable TLS1.1 and lower, I would risk that this communication is not
> secured adequately.


Indeed, that's why I would recommend a floor of TLS 1.2 for portss 587
and 465, but not necessarily port 25.

> Additionally, I enforce encryption (TLS1.2+) on outgoing connections
> (only very few sites do not support that, I maintain a list of
> exceptions, when I see mails lingering in the queue).


This is where our priorities differ. Barring a practical downgrade
attack on SMTP STARTTLS made possible by keeping TLS 1.0 enabled, I
see little reason yet to force the remaining TLS 1.0 to use cleartext.
(Yes I'm aware of past cross-protocol attacks, see the author list of
DROWN: <https://drownattack.com/drown-attack-paper.pdf>)

On Sun, Sep 19, 2021 at 10:21:20AM +0200, Simon Josefsson via Exim-users wrote:

> > Make that TLS 1.0, almost nobody uses TLS 1.1, the sites that don't
> > support at least TLS 1.2 almost invariably only support TLS 1.0.
>
> FWIW, I have used standard Debian exim (heavy, with GnuTLS) for my
> personal email server for a couple of years, and I don't recall any
> TLS-related problem. FWIW, it seems TLS1.2 and TLS 1.3 is in wide
> use, see statistics from the last couple of days on my server:


Indeed TLS 1.0 is increasingly rare. The DANE survey finds the
below TLS version frequencies for MX hosts with DANE TLSA records:

    TLSv1.3     21,177
    TLSv1.2      3,180
    TLSv1.0         12


But these are domains that showed some active interest in SMTP security,
by publishing DANE TLSA records. I'd expect the TLS 1.0 frequency among
general domains to be somewhat higher.

Anyway, your call of course. My take is that supporting TLS 1.0 does
not in any practical way reduce the security of email sent to sites that
support TLS 1.2 or 1.3. TLS version negotiation is downgrade resistant.
Downgrades would in any case require an active attack, and SMTP STARTTLS
does not defend against active attacks. Far easier to just strip
STARTTLS than to perform TLS version downgrades.

-- 
    Viktor.