micah anderson <mi...@riseup.net> writes: > 2. Server suite preferences: they break down each preferred cipher > selection for each TLS verison, and are unhappy about the cipher suite > configuration being suboptimal, specifically that the forward secrecy > ciphers (ECDHE or DHE) and authenticated encryption (GCM or CHACHA20) > are not 'at the top' of the cipher preferences. > > I know its possible to set `tls_preempt_cipher_list=yes` and risk > Windows 2003 Microsoft Exchange clients having an issue[0]. But, to get > the preferences to order the forward secrecy and auth encryption ciphers > first, I'd have to specify a custom cipherlist with > tls_medium_cipherlist, which would be ugly[0]. It is also unclear how > this would work with tls1.2, vs. tls1.1 vs. tls1.0 (for example tls1.2 > has TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and if I set that as the > first cipher in tls_medium_cipherlist, what happens with tls1.1 and > tls1.0, which does not support that cipher?). > > I know that 'hardening postfix' threads have been posted here a number > of times, I've read them and I understand the recommendations if you > want to continue delivering and accepting email from the internet. What > I'm trying to find out if there is a way to thread the needle: favor > "better" ciphers, while limiting the impact to ancient software. I say > 'limit' because I realize that even just turning on > `tls_preempt_cipher_list=yes` will already cause problems with Windows > 2000 Microsoft Exchange, but I feel that may be an acceptable trade-off > at this point.
I'll note that gmail.com[0] does manage to reach this requirement, they prefer ciphers for each tls version, and only seem to present 10 ciphers for tls1.2, and 5 for tls1.1 and tls1.0. I feel like if gmail is limiting their ciphers to those few, it must be relatively safe for others to do so as well. 0. https://www.hardenize.com/report/gmail.com/1554931211#email_tls -- micah
