[Cryptography] OpenSSL minimal "safe" configuration?

Viktor Dukhovni cryptography at dukhovni.org
Tue Jan 19 10:24:32 EST 2016


On Mon, Jan 18, 2016 at 12:35:12PM -0800, John Gilmore wrote:

> Similarly, some people are now having trouble sending me email,
> because my MTA doesn't use the latest Diffie-Hellman parameters.

Yes in fact two potential problems, the first is an MD5 rather than
SHA1 or SHA2-256 self-signature, and the second is the weak DH
parameters.  I would assume that it is possible to configure Sendmail
to use a stronger DH group than the 512-bit one that's compiled-in?

    $ openssl s_client -starttls smtp -connect new.toad.com:25
    140187582834340:error:1416D18A:SSL routines:tls_process_key_exchange:dh key too small:statem/statem_clnt.c:1567:
    ---
    Certificate chain
     0 s:/CN=new.toad.com
       i:/CN=new.toad.com
    ---
    Certificate:
	Data:
	    Version: 3 (0x2)
	    Serial Number: 0 (0x0)
	Signature Algorithm: md5WithRSAEncryption
	    Issuer: CN=new.toad.com
	    Validity
		Not Before: Dec  9 02:37:02 2010 GMT
		Not After : Jun 25 21:55:26 2033 GMT
	    Subject: CN=new.toad.com
	    Subject Public Key Info:
		Public Key Algorithm: rsaEncryption
		    Public-Key: (2437 bit)
		    Modulus:
		    Exponent: 65537 (0x10001)
	    X509v3 extensions:
		X509v3 Subject Key Identifier: 
		X509v3 Authority Key Identifier: 
		    DirName:/CN=new.toad.com
		    serial:00
		X509v3 Basic Constraints: 
		    CA:TRUE
	Signature Algorithm: md5WithRSAEncryption
    ---
    No client certificate CA names sent
    Server Temp Key: DH, 512 bits
    ---
    SSL handshake has read 1781 bytes and written 7 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Server public key is 2437 bit
    ---


> STARTSSL, as implemented in the field, has this curious attribute that
> if the command is not recognized, the mail gets delivered in
> plaintext; but if the command is recognized and then the SSL
> negotiation fails, the mail is not delivered, remains queued at the
> sender, and is eventually dropped.

That's Sendmail behaviour, Postfix will send in cleartext when TLS
fails and the message "age" is is more than the queue retry time.
(Barring queue congestion, STARTTLS failure defers on the first
delivery attempt, but delivers via cleartext on the second).

> All this takes even more sysadmin and debugging time than the initial
> investment of ten minutes required to "cut the insecure crap" -- and
> may require reverting to using insecure crap some of the time.

In the mean-time, in OpenSSL 1.1.0-dev, I've added support for
Configuring the build to disable any or all the TLS or DTLS protocols.

	no-tls/no-ssl3/no-tls1/no-tls1_1/no-tls1_2/
	no-ssl3-method/no-tls1-method/no-tls1_1-method/no-tls1_2-method
	no-dtls/no-dtls1/no-dtls1_2/no-dtls1-method/no-dtls1_2-method

The no-tls option disables *negotiation* of all TLS protocols via
the version-flexible TLS_method(), the no-dtls does the same for
DTLS.  The no-...-method variants also disable support for the
corresponding version-specific method.

This does not remove all possible dead code that may result from
disabling all the protocol methods that use it, that will be a
future enhancement.

Enjoy.  There are also many options to disable various crypto
primitives, but removing sha1 or md5 entirely presently breaks the
build.

-- 
	Viktor.


More information about the cryptography mailing list