On Tue, Sep 26, 2023 at 10:49:30AM +0200, Eray Aslan via Postfix-users wrote:
> On Mon, Sep 25, 2023 at 05:51:05PM -0400, Viktor Dukhovni via Postfix-users
> wrote:
> > Not, dangerous, just largely pointless, with *potential* complications,
> > unless there are servers that can actually make use of said
> > certificates.
>
> Can a case be made for promoting anonymous ciphers? I feel they are
> under appreciated and under used. In a lot of use cases, authentication
> is done via another channel or even if there is a problem with the cert,
> you go ahead anyway. Only encryption is used and not authentication but
> we maintain the bits for auth anyway potentially causing problems.
Sure:
https://datatracker.ietf.org/doc/html/rfc7672#section-8.2
Sadly, AFAIK, none have yet been specified for TLS 1.3. And the choices
for TLS 1.2 are somewhat limited (none with both AECDH and either GCM or
SHA-2 for example):
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
$ openssl ciphers -s -tls1_2 -v
'ALL:!aRSA:!aECDSA:!aDSS:!SEED:!SRP:!PSK:@SECLEVEL=0'
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ADH-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256)
Mac=SHA256
ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
ADH-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128)
Mac=SHA256
AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
AECDH-AES128-SHA TLSv1 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
So the opportunity to use anonymous ciphers is slipping away.
With TLS 1.2, Postfix does use anon-ECDH or anon-DH ciphers when
mutually supported (e.g. Postfix client to Postfix server at
security levels "may" or "encrypt"). An example from my logs:
Sep 25 18:09:58 amnesiac postfix/smtpd[66854]:
Anonymous TLS connection established from
mailer2.gandi.net[217.70.182.74]:
TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
Sep 25 20:15:27 straasha postfix/smtpd[16441]:
Anonymous TLS connection established from
mail70-4z9c.e2ma.net[139.60.2.70]:
TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
"Anonymous" here just means no *client* cert, but the cipher name
"ADH-..." or "AECDH-..." is one that is certificate-free in both
directions.
There is typically little support in the IETF TLS working group for
adding more anonymous ciphers.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
