On Sun, May 25, 2025 at 07:46:00PM +0000, Slavko via Exim-users wrote:
> >But there are no weaknesses in TLS v1.0 or v1.1 relative to v1.2 and
> >1.3 that are relevant to SMTP sessions.
>
> Yes, i read that multiple times from various sources, but to decide
> properly, we have to ask (and answer) what is TLS version first.
Actually, that's not particularly significant for SMTP. Disabling these
is an exercise in principled attack-surface reduction, predicated on the
idea that these are no longer required in a non-neglible subset of
connections.
> As example, from mentioned RFC TLS 1.0 makes mandatory to
> implement the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> without it that is not TLS 1.0,
This is grossly misleading, this MTI cipher for TLS 1.0 were an
interoperability baseline ~20+ years ago, but at this point it
is unused, and there's no expectation that it is still required,
you can enable TLS 1.0 and expect clients to use AES.
> it can only look as it. Do you really consider 3DES with CBC and SHA1
> as secure nowadays?
There are no known practical attacks on 3DES (112-bit keys) and SHA1
(HMAC) in TLS in the context of SMTP. There are some browser-specific
issues with CBC ciphers because TLS did MAC-then-encrypt rather than
encrypt-then-MAC, but these required scripting many connectiosn to
possibly leak cookie information. These attacks don't apply to SMTP.
The SHA1 collision attacks don't apply to TLS, for that you'd need
a 2nd-preimage attacks, which is not even yet known for MD5.
> I will more believe to OpenSSL devs, from 3.0 migration guide:
>
> The security strength of SHA1 and MD5 based signatures in TLS
> has been reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and
> DTLS 1.0 no longer working at the default security level of 1 and
> instead requires security level 0
This is a reasonable choice for the *generic* application, which is
not doing opportunistic TLS, and possibly shares some of the browser
attack surfaces. It is less compelling for SMTP, but with the passage
of time, as noted above, the impact of dropping support for TLS 1.0/1.1
is becoming insignificant...
So you perhaps (using suitable Exim settings) include "@SECLEVEL=1"
in your cipherlist, or perhaps (if supported) set the protocol floor
to TLSv1.2. Or leave well enough alone, there's no *compelling* reason
to worry about "sexy" cryptographic attacks, it is the boring attacks
(bugs, misconfiguration, supply-chain breaks...) you should worry about.
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
