[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

Florian Weimer writes ("Re: tlsa for smtp to @bugs.debian.org"):
>* Bastian Blank:
>> On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
>>> I think gnutls by default has a minimum size of 727 for the DH
>>> size while openssl doesn't have any check for this.  But if you're
>>> using DH you really want to move to something like 2048 if
>>> possible.
>> This prime size is pretty irrelevant for opportunistic TLS.
>Small primes enable passive attacks.  [...]

This is true but irrelevant.  You have snipped Bastian's key point
which is this:

  If the server is prepared to do unencrypted session, then some
  encryption is better then no encryption.

Clearly it is better to do TLS with a weak prime or weak signature
hash algorithm or weak whatever-else, than not to do TLS at all.

If the problem is indeed that gnutls refuses to use weak algorithms
(which is a good default policy for a TLS library) then I think the
solution is for postfix, when doing opportunistic TLS, to use whatever
gnutls policy knobs are available to turn off those checks.

> Curiously, the optional ephemeral Diffie-Hellman part of the TLS
> protocol runs in plaintext, which means that it can be attacked
> directly, without bothering to attack the RSA part.  As a result, that
> dreaded thing called "perfect forward secrecy" is not necessarily an
> overall improvement.  It's probably best to disable it altogether,
> then the DH interoperability issue disappears as well.  (I'm pretty
> sure the current trend to enable it all over the place is mostly due
> to its suggestive name.)

I diagree.  Forward secrecy is generally an important improvement.


Reply to: