Openssl allowed list of ciphers too strict

baruwaproject / baruwa2

Baruwa 2.0

http://www.baruwa.org

GNU General Public License v3.0

21 stars 9 forks source link

Openssl allowed list of ciphers too strict #121

Closed rmoesbergen closed 7 years ago

rmoesbergen commented 7 years ago

Starting with 2.1.4, Exim started using openssl instead of gnutls. Since the update I'm seeing quite a lot of SSL/TLS handshake failures and decided to 'debug' some of them. The cause was the list of allowed SSL ciphers was too strict for a successful TLS connection to be established. In this particular case I had to add: AES256-GCM-SHA384

To the list in /etc/exim/macros.conf

I suggest a more 'generic' list of ciphers, something like this: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

Which happens to be the default postfix 'HIGH' cipher list.

akissa commented 7 years ago

Which cipher list are you referring to ? The OPENSSL_CIPHERS list is only used for ports 465 and 587 which have SMTP AUTH info that must be secured as well as outbound connections where if TLS fails the connection falls back to plain. The case being if you do not care about security then we may as well talk plain SMTP to you. For normal port 25 STARTTLS the COMPAT_CIPHERS list is used instead.

We clearly cannot us ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH, RC4 has been broken since 2013

rmoesbergen commented 7 years ago

I'm referring to OPENSSL_CIPHERS, used for outbound SMTP connections. Since DANE is now active by default, the list of ciphers to be used should match the real world and actually allow TLS connections to be made. The current list is too strict, causing TLS connection to fail, therefore DANE validation to fail and the message not to be delivered. At least add the cipher i mentioned (AES256-GCM-SHA384), I've had more than a few (DANE enabled) sites who only accept this cipher for TLS1.2

akissa commented 7 years ago

The current list does cover that. openssl ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH' ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA

We will ship with sensible defaults, you can override those on your systems by redefining the OPENSSL_CIPHERS macro in /etc/exim/macros.local

rmoesbergen commented 7 years ago

If I set-up a connection from the commandline with openssl s_client, it works. But when I send a mail via baruwa, the TLS handshake fails. After I added AES256-GCM-SHA384 to OPENSSL_CIPHERS in macros.conf, it also worked when sending an e-mail. I can't explain that when the cipher was already included.

akissa commented 7 years ago

Okay, i will investigate further and see if i can replicate.

rmoesbergen commented 7 years ago

Thanks

akissa commented 7 years ago

The default list has been changed to EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:AESGCM in the 6.9 baruwaos release