On 18 Jul 2015, at 22:12, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> You've likely all been hearing that RC4 is on its way out, with > increasingly practical attacks to extract fixed plaintext that is > sent repeatedly in lots of messages (e.g. HTTP cookies). > > While it is not clear how to extend these attacks to MTA-to-MTA > SMTP (except when SASL PLAIN auth is used), there is some merit in > trying to phase out support for RC4. > > Before that's done however, I would like to have some evidence that > the need for RC4 is diminishing. Therefore, I'd like to ask the > list whether you're seeing declining use of RC4 in your TLS > connections (inbound or outbound). Are there over time fewer > servers that don't support AES? How long do you think you'll > continue to need RC4? > > The reason I ask, is that I'm lately also a member of the OpenSSL > development team, and they (we) are considering reclassifying RC4 > as "LOW" rather than "MEDIUM" in the upcoming OpenSSL 1.1.0 release > (towards the end of this year). > > That release is likely to appear in new "distros" some time next > year, and Postfix built against that version of OpenSSL might no > longer support RC4 by default. > > If RC4 is still needed to interoperate with the long tail of Exchage > 2003 and similar SMTP servers, I can accept that proposed change, > and make changes in the Postfix cipherlists to accomodate RC4 as > a last resort (because it is still needed). Or I can argue against > the reclassification of RC4 to LOW and say that the right change > is just to drop it from the "DEFAULT" cipherlist. Or perhaps it > will soon enough not be needed at all? > > So, if you have any data on long-term trends in RC4 use, especially > from a site with a high volume of traffic (1 million messages per > day or more), please post your findings. Is RC4 disappearing from > SMTP TLS, or continuing to be used by laggards resistant to change? We're below that volume threshold, but have been deliberately tracking cipher usage for quite some time now. Usage of 'RC4-SHA' and 'RC4-MD5' has been down to no more than a handful per day for a good while, where days without any RC4 at all aren't rare. About half of what we've seen as RC4 usage over the past 90 days are old Exchange servers. They are completely EOL now, as Windows Server 2003 dropped out of support on the 14th, and I suspect that they are mostly single-server Small Business Server installations. The likelyhood that these will be upgraded before the hardware breaks is probably very low, as any competent systems administrator would have moved to newer, supported versions of the software by now. Most of the other half is misconfigured mail servers that can do better than that, such as the MX servers for 'qq.com'; == Target: mx3.qq.com:25 prio ciphersuite protocols pfs_keysize 1 RC4-SHA SSLv3,TLSv1,TLSv1.1 2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 3 DHE-RSA-CAMELLIA256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 4 AES256-SHA SSLv3,TLSv1,TLSv1.1 5 CAMELLIA256-SHA SSLv3,TLSv1,TLSv1.1 6 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 7 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1 8 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 9 DHE-RSA-SEED-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 10 DHE-RSA-CAMELLIA128-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 11 AES128-SHA SSLv3,TLSv1,TLSv1.1 12 SEED-SHA SSLv3,TLSv1,TLSv1.1 13 CAMELLIA128-SHA SSLv3,TLSv1,TLSv1.1 14 IDEA-CBC-SHA SSLv3,TLSv1,TLSv1.1 Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 600 OCSP stapling: not supported Server side cipher ordering == For those, dropping RC4 support would not be a problem, as there are alternatives available, and it would actually be an improvement. And then there's two Exim servers, current version, that support nothing but RC4. Both are hosted by the same ISP, InMotion Hosting. I suspect these are VPS of some kind, with a control panel that deploys a custom configuration for the single MX for that domain. As for the action to take, I would suggest that it's time to move; drop RC4 to LOW *and* drop it from the default cipherlist, because there will continue to be laggards pretty much forever. Those that continue to see a significant number of RC4 connections in their outgoing mix and want to continue supporting it can add it back in manually when they upgrade to a Postfix built against OpenSSL 1.1 and up. The primary reason is that the tail for versions of Postfix running on versions of OpenSSL older than 1.1 will be very long, easily 5-10 years, even if all vendors stick with the new defaults. If you want to enact meaningful change in terms of phasing out a cipher that probably be compromised in that time period, you really need to start with sensible defaults as soon as possible, instead of delaying it further. The laggards are unlikely to notice either way, since nobody's home on those servers. The senders that care about the difference between RC4 and plain text will continue to deliberately support it until it becomes too risky. Everyone else benefits from better defaults when RC4 inevitably breaks. Mvg, Joni
