On Sun, Jul 19, 2015 at 10:41:43AM +0200, DTNX Postmaster wrote:
[ Additional data points would be useful, please don't be shy.
Is anyone who's had to make adjustments to their cipherlist
settings to ensure that RC4 is in the first 64 slots for
Exchange 2003 servers, finding that they no longer need to
do that? ]
> > So, if you have any data on long-term trends in RC4 use, especially
> > from a site with a high volume of traffic (1 million messages per
> > day or more), please post your findings. Is RC4 disappearing from
> > SMTP TLS, or continuing to be used by laggards resistant to change?
>
> We're below that volume threshold, but have been deliberately tracking
> cipher usage for quite some time now. Usage of 'RC4-SHA' and 'RC4-MD5'
> has been down to no more than a handful per day for a good while, where
> days without any RC4 at all aren't rare.
Any estimate of the volume of TLS traffic overall that you can
share?
> As for the action to take, I would suggest that it's time to move; drop
> RC4 to LOW *and* drop it from the default cipherlist, because there
> will continue to be laggards pretty much forever. Those that continue
> to see a significant number of RC4 connections in their outgoing mix
> and want to continue supporting it can add it back in manually when
> they upgrade to a Postfix built against OpenSSL 1.1 and up.
If RC4 is reclassified as "LOW", when tweaking the underlying
cipherlists to reenable RC4, it is too easy to accidentally drag
in the EXPORT RC4 ciphers, which would be bad:
# Wrong:
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:RC4:@STRENGTH
# Right:
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH:RC4-SHA
If RC4 is not removed from "MEDIUM", then messing with
tls_medium_cipherlist is not needed, and the exclusions I've posted
previously suffice to trim the cipherlist to less than 64 ahead of
RC4-SHA.
> The primary reason is that the tail for versions of Postfix running on
> versions of OpenSSL older than 1.1 will be very long, easily 5-10
> years, even if all vendors stick with the new defaults.
I'm worried more about early adopters of systems with OpenSSL 1.1
running into friction, than I am about the long-tail.
Thus the proposal to *only* drop RC4 from "DEFAULT", but not move
it to "LOW". However, if RC4 will largely disappear from SMTP by
mid 2016, then perhaps a change to "LOW" will be less disruptive
than I fear.
--
Viktor.
