Viktor
On Mon, Jul 31, 2017, at 02:11 PM, Viktor Dukhovni wrote:
> (Note that's "aNULL:-aNULL:..." not "aNULL:!aNULL:...").
Yeah noticed that. Not clear what the diff is yet, but sticking with the
"aNULL:-aNULL" for this.
> This ensures that anon-DHE/anon-ECDHE ciphers are actually used when
> mutually enabled and authentication is off at the client.
> You're not expected to need to know about or tweak the cipherlists.
Well I have to tweak a bit anyway. I need to get ChaCha20 working. And I
intend to know about it if only not to screw things up.
Unless I set the cipherlist manually to include the cipher, eg testing
"aNULL:-aNULL:ECDHE-ECDSA-CHACHA20-POLY1305:HIGH:MEDIUM:@STRENGTH"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
then it just uses other EC ciphers. With it in there it works, mail to/from
gmail uses the CHACHA20-POLY1305 cipher,
Jul 29 14:31:28 maryland postfix/mailout/smtp[6707]:
gmail-smtp-in.l.google.com[74.125.28.26]:25: TLS cipher list
"aNULL:-aNULL:ECDHE-ECDSA-CHACHA20-POLY1305:HIGH:MEDIUM:@STRENGTH"
Jul 29 14:31:28 maryland postfix/mailout/smtp[6707]: Trusted TLS
connection established to gmail-smtp-in.l.google.com[74.125.28.26]:25: TLSv1.2
with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
> Sadly, this will no longer be possible once (a decade or two from now)
> TLS 1.3 is the dominant protocol version, as TLS 1.3 drops support for
> the anon ciphersuites.
v1.3 is completely on mmy back burner for now. Trying not to even LOOK at it
until at least Openssl 111 is release.
> The "encrypt" security level is still unauthenticated.
Yeah
> Don't confuse data confidentiality with channel integrity.
Trying not to.
That log snip above is from a send TO someone at gmail FROM my server.
I'm confused about the "Trusted TLS" bit.
I'm not authenticating to google as a user, just sending mail to it. So I
thought that means I'd be 'ananoymous' to it.
> will automatically suppress anon ciphers when configured to
> authenticate the remote server.
So since I'm NOT authenting, and DO have "aNULL:-aNULL" in there why am I
successfully using the ECDHE-ECDSA-CHACHA20-POLY1305 cipher? Shouldn't I HAVE
to remove aNull support?
> It is somewhat unfortunate that to work around some quirks in Exchange 2003
> (mostly gone now) I've had to post examples of pruned cipherlists that make
> TLS work against these crippled servers:
>
> smtp_tls_exclude_ciphers = ...
Yeah, started looked at that too as part of the bunch of
smtpd_tls_ciphers
smtpd_tls_mandatory_ciphers
smtpd_tls_exclude_ciphers
smtpd_tls_mandatory_exclude_ciphers
smtp_tls_ciphers
smtp_tls_mandatory_ciphers
smtp_tls_exclude_ciphers
smtp_tls_mandatory_exclude_ciphers
If by 'subtle' you mean 'easily confused by', sign me up!
Eventually I'll have to make this server mandatory TLS for in & outbound, and
limit it to non-"Broken or Scary" ciphers. And to always prefer EC, strongest
options first.
Figuring out what to 'tweak' in those options to get there and NOT shoot off my
own foot should be fun.
Rob
