Viktor Dukhovni wrote: > Andrei Popov wrote: >> >> When old algorithms are deprecated and new algorithms replace them in >> actual deployments (a very slow process), an opportunistic client would >> need to be updated, just like a normal server-authenticating client does. >> Except for the opportunistic client this update would be rather trivial. >> >> Alternatively, can an opportunistic client explicitly negotiate >> anonymous connections? > > Postfix tries to, as hard as it can, but many servers do not offer > anon_DH cipher suites, and under-informed auditors give system > administrators a hard time when they are offered.
anon_DH cipher suites are a true security problem, in particular with clients that perform server endpoint identification as a mere side-effect of processing the server's TLS Certificate handshake message (such as through a callback) rather than as a mandatory verification step at the end of a successful TLS handshake. Anonymous cipher suites are regularly not just "not offered by servers", they might not even be implemented in the server's TLS implementation. We don't support them, and I didn't notice any such cipher suites on these lists, either: https://msdn.microsoft.com/library/aa374757.aspx https://support.microsoft.com/en-us/kb/2929781 https://technet.microsoft.com/en-us/library/dn786419.aspx Btw., anonymous TLS ciphersuites have been officially deprecated already in TLSv1.0 (rfc2246) in 1999, several years before deprecation of the export-crypto cipher suites: https://tools.ietf.org/html/rfc2246#page-55 The following cipher suites are used for completely anonymous Diffie-Hellman communications in which neither party is authenticated. Note that this mode is vulnerable to man-in-the-middle attacks and is therefore deprecated. CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 }; CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 }; CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 }; CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A }; CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B }; -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
