[Cryptography] Speaking of EDH (GnuTLS interoperability)
Eugen Leitl
eugen@leitl.org
Sun Sep 8 05:58:15 PDT 2013
----- Forwarded message from Viktor Dukhovni <cryptography@dukhovni.org> -----
Date: Sun, 8 Sep 2013 04:31:28 +0000
From: Viktor Dukhovni <cryptography@dukhovni.org>
To: cryptography@metzdowd.com
Subject: [Cryptography] Speaking of EDH (GnuTLS interoperability)
User-Agent: Mutt/1.5.21 (2010-09-15)
Reply-To: cryptography@metzdowd.com
Some of you may have seen my posts to postfix-users and openssl-users,
if so, apologies for the duplication.
http://archives.neohapsis.com/archives/postfix/2013-09/thread.html#80
http://www.mail-archive.com/openssl-users@openssl.org/index.html#71903
The short version is that while everyone is busily implementing
EDH, they may run into some interoperability issues. GnuTLS clients
by default insist on a minimum EDH prime size that is not generally
interoperable (2432 bits). Since the TLS protocol only negotiates
the use of EDH, but not the prime size (the EDH parameters are
unilaterally announced by the server), this setting, while
cryptographically sound, is rather poor engineering.
The context in which this was discovered is also "amusing". Exim
uses GnuTLS and has a work-around to drop the DH prime floor to
1024-bits, which is interoperable in practice. Debian however
wanted to "improve" Exim to make it more secure, so the floor was
raised to 2048-bits in a Debian patch. As a result STARTTLS from
Debian's Exim (before sanity was restored in Exim 4.80-3 in Debian
wheezy, AFAIK it is still broken in Debian squeeze) fails with Postfix,
Sendmail, and other SMTP servers.
In all probability this "stronger" version of Exim then needlessly
sends mail without TLS, since with SMTP TLS is typically opportunistic,
and likely after TLS fails delivery is retried in the clear!
--
Viktor.
P.S. shameless off-topic plug: If you want better than opportunistic
TLS for email, consider adopting DNSSEC for your domains and
publishing TLSA RRs for your SMTP servers. Postfix supports DANE
as of 2.11-20130825. See
https://tools.ietf.org/html/draft-dukhovni-smtp-opportunistic-tls-01
http://www.postfix.org/TLS_README.html#client_tls_dane
Make sure to publish either "IN TLSA 3 1 1" or "IN TLSA 2 1 1"
certificate associations.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20130908/6a13759f/attachment.sig>
More information about the cypherpunks
mailing list