[exim-dev] [Bug 2822] New: Issues with DHE ciphers - problem…

Top Page

Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS, [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
Subject: [exim-dev] [Bug 2822] New: Issues with DHE ciphers - problems with GnuTLS implementation?
https://bugs.exim.org/show_bug.cgi?id=2822

            Bug ID: 2822
           Summary: Issues with DHE ciphers - problems with GnuTLS
                    implementation?
           Product: Exim
           Version: 4.94
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: freaky@???
                CC: exim-dev@???


Hi,

it seems GnuTLS implementation within Exim is broken.

Tried quite a few priority strings which yield DHE results in GnuTLS, and
actually show up in scans against gnutls-serv, but don't yield any DHE results
on exim.

Been scanning this with sslscan, which fails to detect them. Not the first one
to run into this apparently, see here:
https://github.com/rbsec/sslscan/issues/214#issuecomment-946125038

Running with string:
"SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-AES-128-CCM:-AES-256-CCM:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-AES-256-CBC:+AES-256-CBC:-AES-128-CBC:+AES-128-CBC:%SERVER_PRECEDENCE"
currently.

$ gnutls-cli
--priority="SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-AES-128-CCM:-AES-256-CCM:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-AES-256-CBC:+AES-256-CBC:-AES-128-CBC:+AES-128-CBC:%SERVER_PRECEDENCE"
-l
Cipher suites for
SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-AES-128-CCM:-AES-256-CCM:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-AES-256-CBC:+AES-256-CBC:-AES-128-CBC:+AES-128-CBC:%SERVER_PRECEDENCE
TLS_AES_256_GCM_SHA384                                  0x13, 0x02      TLS1.3
TLS_CHACHA20_POLY1305_SHA256                            0x13, 0x03      TLS1.3
TLS_AES_128_GCM_SHA256                                  0x13, 0x01      TLS1.3
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                      0xc0, 0x2c      TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                       0xcc, 0xa9      TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                      0xc0, 0x2b      TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1                        0xc0, 0x0a      TLS1.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1                        0xc0, 0x09      TLS1.0
TLS_ECDHE_RSA_AES_256_GCM_SHA384                        0xc0, 0x30      TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                         0xcc, 0xa8      TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                        0xc0, 0x2f      TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1                          0xc0, 0x14      TLS1.0
TLS_ECDHE_RSA_AES_128_CBC_SHA1                          0xc0, 0x13      TLS1.0
TLS_DHE_RSA_AES_256_GCM_SHA384                          0x00, 0x9f      TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305                           0xcc, 0xaa      TLS1.2
TLS_DHE_RSA_AES_128_GCM_SHA256                          0x00, 0x9e      TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1                            0x00, 0x39      TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA1                            0x00, 0x33      TLS1.0


Protocols: VERS-TLS1.2, VERS-TLS1.3
Ciphers: AES-256-GCM, CHACHA20-POLY1305, AES-128-GCM, AES-256-CBC, AES-128-CBC
MACs: SHA1, AEAD
Key Exchange Algorithms: ECDHE-ECDSA, ECDHE-RSA, DHE-RSA
Groups: GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519,
GROUP-X448, GROUP-FFDHE4096, GROUP-FFDHE6144, GROUP-FFDHE8192
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-RSAE-SHA256,
SIGN-ECDSA-SHA256, SIGN-ECDSA-SECP256R1-SHA256, SIGN-EdDSA-Ed25519,
SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384,
SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-EdDSA-Ed448,
SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512,
SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512



Scan results against gnutls-serv:

$ sslscan localhost
Version: 2.0.10-static
OpenSSL 1.1.1k 25 Mar 2021

Connected to ::1

Testing SSL server localhost on port 443 using SNI name localhost

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled


TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve P-256 DHE 256
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve P-256 DHE 256
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve P-256 DHE 256
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 4096 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-CHACHA20-POLY1305     DHE 4096 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 4096 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 4096 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 4096 bits


Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 150 bits ffdhe4096
TLSv1.3 175 bits ffdhe6144
TLSv1.3 192 bits ffdhe8192
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    4096






Scan results against exim:

$ sslscan --starttls-smtp some-host
Version: 2.0.10-static
OpenSSL 1.1.1k 25 Mar 2021

Connected to <ipv6 address of some-host>

Testing SSL server some-host on port 25 using SNI name some-host

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled


TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve P-256 DHE 256
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve P-256 DHE 256
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve P-256 DHE 256
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256


Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 150 bits ffdhe4096
TLSv1.3 175 bits ffdhe6144
TLSv1.3 192 bits ffdhe8192
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048




Note it's not offering any DHE ciphers.

Running this over the logs:
# grep TLS maillog | grep 'P=' | grep -o '\sX=\S*\s' | cut -f 2 -d '=' | sort |
uniq -c                                                                         
     46 TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_CBC__SHA1:256 
     28 TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 
      1 TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_GCM:128 
   1372 TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_256_GCM:256 
      1 TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_CBC__SHA1:128 
     26 TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_256_CBC__SHA1:256 
    968 TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_256_GCM:256 
    365 TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 
      7 TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA512__AES_256_GCM:256 


Also doesn't show any parties using it incoming.

Do see it used for sending mails however.


Could this be looked into?

We need to tune TLS stacks according to NCSC guidelines. Although one would
expect ECDHE-RSA-AES128-SHA or ECDHE-RSA-AES256-SHA being supported by nearly
anything these days, there are quite a few servers out there that don't do
ECDHE at all. Probably configured badly, it's been around for quite some time.
Being able to offer some DHE variants would go a long way in that.

Guidelines no longer allow for RSA key exchanges at all.

Considering the report I found at sslscan the issue has been present for a
while now.

--
You are receiving this mail because:
You are on the CC list for the bug.