Re: tlsa for smtp to @bugs.debian.org
Florian Weimer writes ("Re: tlsa for smtp to @bugs.debian.org"):
>* Bastian Blank:
>> On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
>>> I think gnutls by default has a minimum size of 727 for the DH
>>> size while openssl doesn't have any check for this. But if you're
>>> using DH you really want to move to something like 2048 if
>> This prime size is pretty irrelevant for opportunistic TLS.
>Small primes enable passive attacks. [...]
This is true but irrelevant. You have snipped Bastian's key point
which is this:
If the server is prepared to do unencrypted session, then some
encryption is better then no encryption.
Clearly it is better to do TLS with a weak prime or weak signature
hash algorithm or weak whatever-else, than not to do TLS at all.
If the problem is indeed that gnutls refuses to use weak algorithms
(which is a good default policy for a TLS library) then I think the
solution is for postfix, when doing opportunistic TLS, to use whatever
gnutls policy knobs are available to turn off those checks.
> Curiously, the optional ephemeral Diffie-Hellman part of the TLS
> protocol runs in plaintext, which means that it can be attacked
> directly, without bothering to attack the RSA part. As a result, that
> dreaded thing called "perfect forward secrecy" is not necessarily an
> overall improvement. It's probably best to disable it altogether,
> then the DH interoperability issue disappears as well. (I'm pretty
> sure the current trend to enable it all over the place is mostly due
> to its suggestive name.)
I diagree. Forward secrecy is generally an important improvement.