Re: explicit cipher list

Sat, 23 Nov 2013 13:56:46 -0800 

On Sat, Nov 23, 2013 at 10:40:05PM +0100, Andreas Schulze wrote:

> But when I disable RC4 in smtpd_tls_exclude_ciphers (I assume) it's
> also not used when I enforce encrypt mode !? This script don't say so.

Yes, you're right, the script did not cover that case accurately,
the code from smtpd(8) reads:

        cipher_exclusions = vstring_alloc(10);
        ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph);
        if (var_smtpd_enforce_tls)
            ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl);
        if (ask_client_cert)
            ADD_EXCLUDE(cipher_exclusions, "aNULL");

> Also the script don't handle situations where smtpd_tls_ciphers set
> to 'high' for example.

Yes, though that setting is substantially likely to have interoperability
issues.  Your weakest link is unlikely to be any of the medium ciphers.

> So here is my update (without any optimization !)

> server_ciphers() {
>         local use skip ciphers exclude e
>         case $1 in
>         may)
>             grade="$(postconf -xh smtpd_tls_ciphers)"
>             use="tls_${grade}_cipherlist"
>             skip1="smtpd_tls_exclude_ciphers"
>             skip2="";;
>         encrypt)
>             grade="$(postconf -xh smtpd_tls_mandatory_ciphers)"
>             use="tls_${grade}_cipherlist"
>             skip1="smtpd_tls_exclude_ciphers"
>             skip2="smtpd_tls_mandatory_exclude_ciphers";;
>         esac
>         ciphers="$(postconf -xh $use)"
>         exclude1="$(postconf -xh $skip1)"
>         if [ -n "${exclude1}" ]; then
>             OIFS="$IFS"; IFS=":,$OFS"
>             set -- $exclude1
>             IFS="$OIFS"
>             for e; do ciphers="$ciphers:"'!'"$e"; done
>         fi
>         if [ -n "${skip2}" ]; then
>             exclude2="$(postconf -xh $skip2)"
>             if [ -n "${exclude2}" ]; then
>                 OIFS="$IFS"; IFS=":,$OFS"
>                 set -- $exclude2
>                 IFS="$OIFS"
>                 for e; do ciphers="$ciphers:"'!'"$e"; done
>             fi
>         fi
>         openssl ciphers -v "$ciphers"
> }
> 
> correct?

Yes, but your local variable list no longer matches exactly the
variables used in the code (grade, skip1, skip2 are not covered,
while skip is no longer used).  The "local" built-in is I should
note not POSIX.  Some shells may not support it.

For bonus points, you could look at "smtpd_tls_askccert" and
"smtpd_tls_req_ccert".  If either is set to "yes", append ':!aNULL'
to the raw openssl cipher list.

-- 
        Viktor.

Reply via email to