On Fri, Nov 22, 2024 at 01:09:06PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> Our customer has an old scanner/printer seems to support TLS1.2, but only a
> few weak ciphers that are forbidden in out postfix configuration, according
> to old discussion in this list:
TLS 1.2 is acceptable, and the supported ciphers should overlap with
ones you should be willing to support, provided your OpenSSL library
is not compiled or configured to turn crypto security up to 11.
> smtpd_tls_exclude_ciphers =
> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
The "SRP" and "PSK" exclusions are only there to not clutter the
cipherlist, they can't be used without additional configuration, so
their exclusion is *cosmetic*. The rest are indeed obsolete, and are
excluded by default in recent Postfix versions:
$ postconf -d | grep MD5
tls_high_cipherlist =
aNULL:-aNULL:HIGH:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:@STRENGTH
tls_medium_cipherlist =
aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!kDH:!kECDH:!aDSS:!MD5:!aNULL
But that's not your problem.
> According to wireshark input its supported ciphers are:
>
> Handshake Protocol: Client Hello
> Version: TLS 1.2 (0x0303)
>
> Cipher Suites (13 suites)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
These first four should work fine, unless you're using a version of
OpenSSL that disabled these, at compile time or runtime, perhaps
Redhat/Fedora Crypto policies?
Note that these ciphers don't enable "forward-secrecy", they use RSA key
exchange:
$ openssl ciphers -V -stdname -s -tls1_2 -v 'HIGH+AES+kRSA+CBC:@STRENGTH'
0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 -
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256)
Mac=SHA256
0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA -
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256)
Mac=SHA1
0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 -
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)
Mac=SHA256
0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA -
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128)
Mac=SHA1
So, my money is on RSA key exchange being disabled in your OpenSSL,
unless there are other Postfix settings you've not shared that do that.
> IIUC, as CBC ciphers are unsafe, it would make most sense to allow RC4 on
> specialised submission service on different TCP port.
No, as correctly noted by Bill Cole, the CBC ciphers are more
appropriate in SMTP than is RC4.
On Fri, Nov 22, 2024 at 03:12:01PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> so I guess I'll have to exclude SRP or PSK [...]
That would be a NOOP, as noted above, just keeps the list tidy, but has
no effect on the wire.
On Fri, Nov 22, 2024 at 01:01:40PM -0500, Bill Cole via Postfix-users wrote:
>
> The HTTP-relevant attacks (e.g. BEAST) I am aware of on CBC ciphersuites are
> infeasible against SMTP and similar protocols.
>
> https://marc.info/?l=postfix-users&m=133649211220443&w=2
> https://success.qualys.com/discussions/s/question/0D52L00004TntrHSAR/weak-cbc-mode-vulnerability-on-smtp&ved=2ahUKEwjV6r-IwfCJAxULj4kEHV_wJGUQFnoECC4QAQ&usg=AOvVaw3-avte1ZFDupDEI4r7shA1
> https://blog.qualys.com/product-tech/2011/10/17/mitigating-the-beast-attack-on-tls#comment-8481
Thanks for saving me the trouble.
On Fri, Nov 22, 2024 at 07:24:33PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> Now I'm searching for the proper smtpd_tls_exclude_ciphers setting to get at
> least some, possibly most secure ciphers of those provided in my first mail.
Well, nothing you've reported explicitly disables the CBC ciphers, but
see above re forward-secrecy and kRSA.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
