Mailing List Archive

[Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation?
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #1 from Ferry <freaky@bananateam.nl> ---
Guidelines here btw:
https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1

For just ciphersuites jumping to Appendix C is the quick win :).

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
On Tue, Oct 19, 2021 at 09:21:24PM +0000, admin--- via Exim-dev wrote:
> https://bugs.exim.org/show_bug.cgi?id=2822
>
> --- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
> a) you didn't say what version of GnuTLS, nor distribution of Exim
> b) working out what you are trying to say in that wall of text is tiring

Though my comment likely won't make it into the ticket log, and so might
not reach the OP, I feel obliged to note that turning up TLS security to
11 for opportuistic TLS in SMTP is rather a bad idea.

https://datatracker.ietf.org/doc/html/rfc7435

Unless such settings are limited to the submission ports, the net result
of raising the floor that high, would be more email transmisison in the
clear, which rather defeats the purpose (presumably greater SMTP
security).

If e.g. ~112 bit security (2048-bit DHE) is sufficient to protect most
of the web, most software update servers, ... surely it should be good
enough for opportunistic TLS in SMTP.

I realise that my admonitions are unlikely to make a big dent in the
popularity of roasting one's crypto on "HIGH", but perhaps there are one
or two rational folks I might persuade to consider a more realistic
threat model.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
On 19/10/2021 20:40, Viktor Dukhovni via Exim-dev wrote:
> Though my comment likely won't make it into the ticket log

You could always comment on the bug, using the bugzilla web interface.
The link was in the mail you replied to.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
a) you didn't say what version of GnuTLS, nor distribution of Exim
b) working out what you are trying to say in that wall of text is tiring

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
On Wed, Oct 20, 2021 at 12:00:17AM +0000, admin--- via Exim-dev wrote:

> The 4th shows that on 2000+ connections in the logs nothing is actually using a
> DHE cipher suite either. Which makes a bug on the sslscan unlikely - esp. since
> it works as expected against gnutls-serv with the same string.

Typically, even with DHE enabled, the selected cipher would use ECDHE
when both sides support it, also, depending on what is logged with TLS
1.3, the key exchange group may not even be logged, and TLS 1.3 cipher
names onlly describe the symmetric crypto.

Indeed neither exim.org nor Phil Pennock's domain seem to support DHE,
but Heiko's Exim server does, at least when client offers only TLSv1.2
with just DHE ciphers. Don't know whether it uses GnuTLS or OpenSSL:

< 220 mx10.schlittermann.de ESMTP Exim 4.95 Wed, 20 Oct 2021 00:30:55 +0200
> EHLO ...
< 250-mx10.schlittermann.de ...
< ...
< 250-STARTTLS
< 250 HELP
> STARTTLS
< 220 TLS go ahead
mx10.schlittermann.de[46.38.236.101]:25: Matched DANE EE ...
Verified TLS connection established to mx10.schlittermann.de[46.38.236.101]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Similarly, Jeremy's MX host also supports DHE ciphers:

< 220-w81.wizint.net ESMTP Exim 4.94.133 Tue, 19 Oct 2021 22:40:50 +0000
Untrusted TLS connection established to wizmail.org[2a00:1940:107::2:0:0]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

> Then there is some reasoning why this is important for us at least.

Or only seemingly important, as I noted earlier.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #3 from Ferry <freaky@bananateam.nl> ---
a) GnuTLS 3.6.16 & Exim 4.92.2 in our case - but the link to the bug filed at
sslscan by someone else indicates issues with exim in debian (he filed here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968145 - no response).
b) Exim seems to fail offering any DHE cipher suites whatsoever on the TLS
layer.

The 1st wall lists the results gnutls shows on the priority string.

The 2nd wall is sslscan running against gnutls-serv with the given priority
string detecting gnutls-serv actually offering what's output in the first.

The 3rd shows exim doesn't.

The 4th shows that on 2000+ connections in the logs nothing is actually using a
DHE cipher suite either. Which makes a bug on the sslscan unlikely - esp. since
it works as expected against gnutls-serv with the same string.

Then there is some reasoning why this is important for us at least.

Hope that clarifies it a bit.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
Exim feeds the string from the tls_require_ciphers option pretty much direct
into the library gnutls_priority_init() function. You might get a more
informed response from the gnutls mailinglist.

Is it possible that your "gnutls" utilites are using a different library
variant
to exim? Or that they are not constrained by some system policy setting,
where exim is?

I'm not a gnutls internals expert, but a peek at the code does show an
#ifdef ENABLE_DHE
build-time possibility.
"man update-crypto-policies" tells me about system policy, on a Fedora system.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #5 from Ferry <freaky@bananateam.nl> ---
Hi,

I myself unfortunately don't have any other exim systems readily available. The
bug report I linked concerned debian, presume they know how to link.

Would it be possible for you to run sslscan against some running installations,
or can you point me to some?

Tried running against the MX for exim.org (secondary is down btw) but it only
offers ECHDE-ECDSA ciphers. Which indicates it's using a ECDSA keypair/cert
instead of a RSA.

There are no DHE-ECDSA ciphersuites as far as I'm aware so this doesn't mean
much unfortunately.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2822] Issues with DHE ciphers - problems with GnuTLS implementation? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #2 from Andreas Metzler <eximusers@bebt.de> ---
Hello,

I can reproduce this with exim 4.95, and gnutls 3.7.2. Minimal testcase is
running "sslscan --tls12" against
a) exim without custom gnutls priority string
and
b) ex-serv-x509.c from the gnutls distribution ( with the calls for reading
ocsp and crl file commented out) with both instances using the same gnutls
versions and certificates. This shows the following major difference:
-----------
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
+Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
+Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305 DHE 2048 bits
+Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
+Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
+Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 2048 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
+Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
+Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-CCM
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
-----------

Since ex-serv-x509.c is very short this should help. (There is no difference
with --tls13).

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##