Since RC4/ARCFOUR has been in the news as "breakable" I was wondering if
it is possible to have courier prioritize AES in favour of RCA if supported?
For example, gmail uses RC4 by default, but does support AES:
# openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA
# openssl s_client -cipher AES128-SHA -connect
gmail-smtp-in.l.google.com:25 -starttls smtp
Protocol : TLSv1.2
Cipher : AES128-SHA
I have tried to set TLS_PRIORITY="AES256-SHA256:NORMAL:-CTYPE-OPENPGP"
or TLS_PRIORITY="AES-256-CBC:NORMAL:-CTYPE-OPENPGP" or to both esmtpd
and esmtpd-msa but then I cannot connect at all (using openssl to my
courier server). If I leave default "NORMAL:-CTYPE-OPENPGP" it works:
# openssl s_client -connect localhost:587 -starttls smtp
Protocol : TLSv1.2
Cipher : AES256-SHA256
So, what I am trying to achieve is to prioritize some ciphers before
others, even for normal smtp courier->other host (like gmail). How
should I use the TLS_PRIORITY setting properly do this? I have tried to
use ciphers and ciphersuites from "gnutls-cli -l". Courier is compiled
with with gnutls
# ldd /usr/bin/couriertls
libgnutls.so.26 => /usr/lib64/libgnutls.so.26 (0x00007fe78b212000)
libgnutls-extra.so.26 => /usr/lib64/libgnutls-extra.so.26
(0x00007fe78b008000)
# gnutls-cli -l
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0
TLS_ANON_DH_AES_128_CBC_SHA256 0x00, 0x6c TLS1.2
TLS_ANON_DH_AES_256_CBC_SHA256 0x00, 0x6d TLS1.2
TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.2
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0
TLS_RSA_NULL_SHA1 0x00, 0x02 SSL3.0
TLS_RSA_NULL_SHA256 0x00, 0x3b TLS1.2
TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0
TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0
TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128,
ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, MAC-NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS,
SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
Compression: COMP-LZO, COMP-DEFLATE, COMP-NULL
Public Key Systems: RSA, DSA
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256,
SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1,
SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD2
~A
--
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
