https://bugs.exim.org/show_bug.cgi?id=2822
Bug ID: 2822
Summary: Issues with DHE ciphers - problems with GnuTLS
implementation?
Product: Exim
Version: 4.94
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
Assignee: jgh146exb@???
Reporter: freaky@???
CC: exim-dev@???
Hi,
it seems GnuTLS implementation within Exim is broken.
Tried quite a few priority strings which yield DHE results in GnuTLS, and
actually show up in scans against gnutls-serv, but don't yield any DHE results
on exim.
Been scanning this with sslscan, which fails to detect them. Not the first one
to run into this apparently, see here:
https://github.com/rbsec/sslscan/issues/214#issuecomment-946125038
Running with string:
"SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-AES-128-CCM:-AES-256-CCM:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-AES-256-CBC:+AES-256-CBC:-AES-128-CBC:+AES-128-CBC:%SERVER_PRECEDENCE"
currently.
$ gnutls-cli
--priority="SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-AES-128-CCM:-AES-256-CCM:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-AES-256-CBC:+AES-256-CBC:-AES-128-CBC:+AES-128-CBC:%SERVER_PRECEDENCE"
-l
Cipher suites for
SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-AES-128-CCM:-AES-256-CCM:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-AES-256-CBC:+AES-256-CBC:-AES-128-CBC:+AES-128-CBC:%SERVER_PRECEDENCE
TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
Protocols: VERS-TLS1.2, VERS-TLS1.3
Ciphers: AES-256-GCM, CHACHA20-POLY1305, AES-128-GCM, AES-256-CBC, AES-128-CBC
MACs: SHA1, AEAD
Key Exchange Algorithms: ECDHE-ECDSA, ECDHE-RSA, DHE-RSA
Groups: GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519,
GROUP-X448, GROUP-FFDHE4096, GROUP-FFDHE6144, GROUP-FFDHE8192
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-RSAE-SHA256,
SIGN-ECDSA-SHA256, SIGN-ECDSA-SECP256R1-SHA256, SIGN-EdDSA-Ed25519,
SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384,
SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-EdDSA-Ed448,
SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512,
SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512
Scan results against gnutls-serv:
$ sslscan localhost
Version: 2.0.10-static
OpenSSL 1.1.1k 25 Mar 2021
Connected to ::1
Testing SSL server localhost on port 443 using SNI name localhost
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 4096 bits
Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305 DHE 4096 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 4096 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 4096 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 4096 bits
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 150 bits ffdhe4096
TLSv1.3 175 bits ffdhe6144
TLSv1.3 192 bits ffdhe8192
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 4096
Scan results against exim:
$ sslscan --starttls-smtp some-host
Version: 2.0.10-static
OpenSSL 1.1.1k 25 Mar 2021
Connected to <ipv6 address of some-host>
Testing SSL server some-host on port 25 using SNI name some-host
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 150 bits ffdhe4096
TLSv1.3 175 bits ffdhe6144
TLSv1.3 192 bits ffdhe8192
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Note it's not offering any DHE ciphers.
Running this over the logs:
# grep TLS maillog | grep 'P=' | grep -o '\sX=\S*\s' | cut -f 2 -d '=' | sort |
uniq -c
46 TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_CBC__SHA1:256
28 TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256
1 TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_GCM:128
1372 TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_256_GCM:256
1 TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_CBC__SHA1:128
26 TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_256_CBC__SHA1:256
968 TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_256_GCM:256
365 TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256
7 TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA512__AES_256_GCM:256
Also doesn't show any parties using it incoming.
Do see it used for sending mails however.
Could this be looked into?
We need to tune TLS stacks according to NCSC guidelines. Although one would
expect ECDHE-RSA-AES128-SHA or ECDHE-RSA-AES256-SHA being supported by nearly
anything these days, there are quite a few servers out there that don't do
ECDHE at all. Probably configured badly, it's been around for quite some time.
Being able to offer some DHE variants would go a long way in that.
Guidelines no longer allow for RSA key exchanges at all.
Considering the report I found at sslscan the issue has been present for a
while now.
--
You are receiving this mail because:
You are on the CC list for the bug.
