Kurt Fitzner
2018-Dec-19 03:39 UTC
How to configure Dovecot to disable NIST's curves and still rertain EECDH?
I am interested in configuring Dovecot's TLS so as to retain forward secrecy, but eliminate all of NIST's elliptic curves. Besides being subject to side channel attacks [1], in some quarters there is a general distrust of NIST's curves and any of their other cryptographic primitives after the Dual EC DRBG debacle.>From what I can tell, the following will prevent the use of NIST'scurves (along with other dangerous primitives) in Dovecot, but this is accomplished by simply disabling EECDH entirely. ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH This should still retain forward secrecy through the use of EDH, but this doesn't leave much in the way of allowable algorithms on my server: $ openssl ciphers -V 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH' 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x9C - AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 Is there a better way to do this? Is there a way to disable only the suspect NIST curves and still retain EECDH but with side-channel safe curves like X25519? Thanks, Kurt Fitzner Links: ------ [1] https://blog.cr.yp.to/20140323-ecdsa.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181218/59c56547/attachment.html>
Tributh
2018-Dec-19 05:49 UTC
How to configure Dovecot to disable NIST's curves and still rertain EECDH?
Am 19.12.18 um 04:39 schrieb Kurt Fitzner:> I am interested in configuring Dovecot's TLS so as to retain forward > secrecy, but eliminate all of NIST's elliptic curves. > > Besides being subject to side channel attacks > <https://blog.cr.yp.to/20140323-ecdsa.html>, in some quarters there is a > general distrust of NIST's curves and any of their other cryptographic > primitives after the Dual EC DRBG debacle. > > From what I can tell, the following will prevent the use of NIST's > curves (along with other dangerous primitives) in Dovecot, but this is > accomplished by simply disabling EECDH entirely. > > |ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH | > > This should still retain forward secrecy through the use of EDH, but > this doesn't leave much in the way of allowable algorithms on my server: > > |$ openssl ciphers -V > 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH' 0x00,0x9F - > DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD > 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) > Mac=SHA256 0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA > Enc=AESGCM(256) Mac=AEAD 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA > Enc=AES(256) Mac=SHA256 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 > Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x67 - DHE-RSA-AES128-SHA256 > TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x9C - > AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD > 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 | > > Is there a better way to do this? Is there a way to disable only the > suspect NIST curves and still retain EECDH but with side-channel safe > curves like X25519? > > Thanks, > > ?????? Kurt Fitzner > > ?Do you really plan to do this? RFC 8446 section 9.1: A TLS-compliant application MUST support key exchange with secp256r1 (NIST P-256) and SHOULD support key exchange with X25519 I think your idea could be not future proved. Beside that, how many mail-clients will remain usable with this cipher selection? Torsten