On 19 Jul 2015, at 17:53, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>> The primary reason is that the tail for versions of Postfix running on
>> versions of OpenSSL older than 1.1 will be very long, easily 5-10
>> years, even if all vendors stick with the new defaults.
>
> I'm worried more about early adopters of systems with OpenSSL 1.1
> running into friction, than I am about the long-tail.
>
> Thus the proposal to *only* drop RC4 from "DEFAULT", but not move
> it to "LOW". However, if RC4 will largely disappear from SMTP by
> mid 2016, then perhaps a change to "LOW" will be less disruptive
> than I fear.
Data given is purely the SMTP *client*, by the way; outgoing traffic to servers
elsewhere. For incoming traffic, I see one (1) RC4-SHA connection over that
entire 90-day period, and that was spam from a compromised server, something
that looks like a CommuniGate Pro installation that should also support better
but has defaults that are quite dated.
The 'qq.com' sending relays negotiate 'DHE-RSA-AES128-SHA' for incoming traffic
because we preempt the cipher list.
Also, it looks like several Exchange servers have been upgraded in this 90-day
period. I did not see this before because I was specifically grepping for RC4,
and the results vary, but most of them have better options available than RC4,
like 'ECDHE-RSA-AES128-SHA', even the cipher order still prefers it. Disabling
RC4 would actually improve the cipher negotiated for those.
So, out of 11 Exchange servers that still negotiated RC4 over the past 90 days,
only four (4) actually remain that have a TLS profile that looks like this;
==
* TLSV1_2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Preferred:
RC4-MD5 128 bits
Accepted:
RC4-SHA 128 bits
RC4-MD5 128 bits
DES-CBC3-SHA 112 bits
DES-CBC-SHA 56 bits
EXP-RC4-MD5 40 bits
EXP-RC2-CBC-MD5 40 bits
==
Out of those four, only one is more than one connection over those 90 days.
That one is in active use, a client for an important customer, and it looks
like it'll do 'DES-CBC3-SHA' just fine if we disable RC4 for outgoing mail.
The other seven now have better defaults (one jumped to TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384) or will negotiate an AES cipher of some kind if RC4 is
disabled.
I suspect that the change to 'LOW' would not even be a blip on the radar for
most deployments. Push that through, and add a note to the README, I'd say :-)
YMMV, etcetera ... moar dataz plz!
Mvg,
Joni
