Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
why use "aNULL:!aNULL:" in Postfix default cipherlists?
734 views
Skip to first unread message
jas...@mail-central.com
Apr 9, 2016, 3:01:39 PM4/9/16
to
While looking through the Postfix default configs about TLS ciphers, I noticed these
grep -i " anull" main.cf.default
tls_export_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
What's the reason for the
aNULL:-aNULL
?
That's not making sense to me. Doesn't that just remove what you just added?
Is it a logging thing?
Jason
grep -i " anull" main.cf.default
tls_export_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
What's the reason for the
aNULL:-aNULL
?
That's not making sense to me. Doesn't that just remove what you just added?
Is it a logging thing?
Jason
Viktor Dukhovni
Apr 9, 2016, 3:28:16 PM4/9/16
to
On Sat, Apr 09, 2016 at 12:01:20PM -0700, jas...@mail-central.com wrote:
> While looking through the Postfix default configs about TLS ciphers, I noticed these
>
> grep -i " anull" main.cf.default
> tls_export_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH
> tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
> tls_low_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH
> tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
>
> What's the reason for the
>
> aNULL:-aNULL
The most recently removed ciphers are at the front of the list when
> While looking through the Postfix default configs about TLS ciphers, I noticed these
>
> grep -i " anull" main.cf.default
> tls_export_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH
> tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
> tls_low_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH
> tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
>
> What's the reason for the
>
> aNULL:-aNULL
ciphers are restored. Therefore, "aNULL:-aNULL:ALL:@STRENGTH" is
different from "ALL:@STRENGTH" in that at any given strength the
aNULL ciphers are listed first. There's not much point in enabling
aNULL ciphers if they are not used when supported at both ends (and
the client is ignoring any server certificate anyway).
% bash
$ diff -u \
<(openssl ciphers -v ALL:@STRENGTH) \
<(openssl ciphers -v aNULL:-aNULL:ALL:@STRENGTH)
--- /dev/fd/63 2016-04-09 15:19:03.000000000 -0400
+++ /dev/fd/62 2016-04-09 15:19:03.000000000 -0400
@@ -1,3 +1,9 @@
+ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
+ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
+ADH-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256
+AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
+ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
+ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
@@ -9,7 +15,6 @@
ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD
-ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
@@ -18,17 +23,12 @@
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA256
-ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
-ADH-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
-AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
-ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
-ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
@@ -62,6 +62,13 @@
PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
PSK-CAMELLIA256-SHA384 TLSv1 Kx=PSK Au=PSK Enc=Camellia(256) Mac=SHA384
+ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
+ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
+ADH-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256
+AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
+ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
+ADH-SEED-SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1
+ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
@@ -70,7 +77,6 @@
ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD
-ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
@@ -79,8 +85,6 @@
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA256
-ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
-ADH-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
@@ -89,10 +93,6 @@
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
-AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
-ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
-ADH-SEED-SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1
-ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-CCM8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(128) Mac=AEAD
@@ -124,12 +124,12 @@
PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
PSK-CAMELLIA128-SHA256 TLSv1 Kx=PSK Au=PSK Enc=Camellia(128) Mac=SHA256
+AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
+ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
-AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
-ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ECDHE-PSK-3DES-EDE-CBC-SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
--
Viktor.
jas...@mail-central.com
Apr 9, 2016, 3:59:35 PM4/9/16
to
On Sat, Apr 9, 2016, at 12:27 PM, Viktor Dukhovni wrote:
> The most recently removed ciphers are at the front of the list when
> ciphers are restored. Therefore, "aNULL:-aNULL:ALL:@STRENGTH" is
> different from "ALL:@STRENGTH" in that at any given strength the
> aNULL ciphers are listed first. There's not much point in enabling
> aNULL ciphers if they are not used when supported at both ends (and
> the client is ignoring any server certificate anyway).
>
> % bash
> $ diff -u \
> <(openssl ciphers -v ALL:@STRENGTH) \
> <(openssl ciphers -v aNULL:-aNULL:ALL:@STRENGTH)
Ok, that's dense.
I clearly need to read some more. I simply don't get what the intent of that^ is.
I thought 'NULL' were "a bad thing", and that we shouldn't be using them at all.
Digging in various places, I've found a number of examples that had something close to
smtp_tls_ciphers = medium
smtpd_tls_ciphers = medium
smtp_tls_exclude_ciphers = aDH, aDSS, aECDH, EXPORT, kDHd, kDHr, kECDHe, kECDHr, KRB5, LOW, MD5, PSK, RC2, RC5
smtpd_tls_exclude_ciphers = EXPORT, IDEA, LOW, MD5, RC2
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_ciphers = medium
those^ exclude lists are aggregated of what I've found so far. I'm reading up on each of them.
What I want to get to is to make sure that the "bad" ciphers are NOT enable/used.
Since I didn't think we should be using NULL-anything, I expected to see 'medium' NOT using them at all.
I guess we're not here^, but I still can't understand why we ENABLE them first, & why that's a good thing.
Jason
Viktor Dukhovni
Apr 9, 2016, 4:16:24 PM4/9/16
to
On Sat, Apr 09, 2016 at 12:59:16PM -0700, jas...@mail-central.com wrote:
> > % bash
> > $ diff -u \
> > <(openssl ciphers -v ALL:@STRENGTH) \
> > <(openssl ciphers -v aNULL:-aNULL:ALL:@STRENGTH)
> ...
>
> > % bash
> > $ diff -u \
> > <(openssl ciphers -v ALL:@STRENGTH) \
> > <(openssl ciphers -v aNULL:-aNULL:ALL:@STRENGTH)
> ...
>
> I thought 'NULL' were "a bad thing", and that we shouldn't be using them at all.
Not at all. When not authenticating the peer, there's no point in
asking for their certificates.
Should bus drivers ask you wave your closed passport in the air,
just to make sure you have one and withough looking at its content
or which country issued it, when you board a bus? Is it bad that
you can board a bus without having a passport?
> What I want to get to is to make sure that the "bad" ciphers are NOT enable/used.
smtp_tls_security_level = may
all ciphers are effectively anonymous. Your bus ride is no safer
when some or all of the passengers bring their passports on board
and wave them in the air as they board the bus.
> Since I didn't think we should be using NULL-anything, I expected to see
> 'medium' NOT using them at all.
* Bulk data encryption (medium excludes algorithms weaker than
3-DES and 128-bit RC4)
* Data integrity (SHA1, SHA2, ... MACs or AEAD)
* Key Exchange (RSA key transport, DHE, ECDHE, ...)
* Authentication (Web PKI certificates, PSK, ...)
The aNULL ciphers leave out authentication, and make sense for
opportunistic TLS when you're otherwise willing to send cleartext.
http://www.postfix.org/TLS_README.html#client_tls_levels
http://www.postfix.org/TLS_README.html#client_tls_limits
http://www.postfix.org/TLS_README.html#client_tls_may
https://tools.ietf.org/html/rfc7435
--
Viktor.
jas...@mail-central.com
Apr 9, 2016, 4:29:34 PM4/9/16
to
On Sat, Apr 9, 2016, at 01:16 PM, Viktor Dukhovni wrote:
> Is it bad that you can board a bus without having a passport?
Since you're going to torture me with a metaphor ;-) I'll answer :
> Is it bad that you can board a bus without having a passport?
It depends.
But I DO know that dutifully skimming the scum off the top of a pot of boiling stock DEFINITELY results in a cleaner broth.
(now my head hurts)
> The anonymous ciphers are not "bad", with
>
> smtp_tls_security_level = may
>
> all ciphers are effectively anonymous.
smtp_tls_security_level = must
smtpd_tls_security_level = must
Yeah I know one frequent answer is "just leave the Postfix defaults in place", but then you don't actually learn /understanding anything.
> Your bus ride is no safer
> when some or all of the passengers bring their passports on board
> and wave them in the air as they board the bus.
> TLS combines multiple cryptographic primitives:
(mathematicians with spears?)
> * Bulk data encryption (medium excludes algorithms weaker than
> 3-DES and 128-bit RC4)
> * Data integrity (SHA1, SHA2, ... MACs or AEAD)
> * Key Exchange (RSA key transport, DHE, ECDHE, ...)
> * Authentication (Web PKI certificates, PSK, ...)
>
> The aNULL ciphers leave out authentication, and make sense for
> opportunistic TLS when you're otherwise willing to send cleartext.
>
> http://www.postfix.org/TLS_README.html#client_tls_levels
> http://www.postfix.org/TLS_README.html#client_tls_limits
> http://www.postfix.org/TLS_README.html#client_tls_may
> https://tools.ietf.org/html/rfc7435
Thanks
Jason
0 new messages