Re: [exim-dev] [Bug 2822] Issues with DHE ciphers - problems…

Top Page

Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation?
On Tue, Oct 19, 2021 at 09:21:24PM +0000, admin--- via Exim-dev wrote:
> https://bugs.exim.org/show_bug.cgi?id=2822
>
> --- Comment #2 from Jeremy Harris <jgh146exb@???> ---
> a) you didn't say what version of GnuTLS, nor distribution of Exim
> b) working out what you are trying to say in that wall of text is tiring


Though my comment likely won't make it into the ticket log, and so might
not reach the OP, I feel obliged to note that turning up TLS security to
11 for opportuistic TLS in SMTP is rather a bad idea.

    https://datatracker.ietf.org/doc/html/rfc7435


Unless such settings are limited to the submission ports, the net result
of raising the floor that high, would be more email transmisison in the
clear, which rather defeats the purpose (presumably greater SMTP
security).

If e.g. ~112 bit security (2048-bit DHE) is sufficient to protect most
of the web, most software update servers, ... surely it should be good
enough for opportunistic TLS in SMTP.

I realise that my admonitions are unlikely to make a big dent in the
popularity of roasting one's crypto on "HIGH", but perhaps there are one
or two rational folks I might persuade to consider a more realistic
threat model.

-- 
    Viktor.