Hi Sabahattin, On 18.09.21 11:58, Sabahattin Gucukoglu via Exim-users wrote: > Is there really a good reason? I do it chiefly because I like OpenSSL’s > cipher selection (I want very permissive, ordered by @STRENGTH, and TLS 1.3 > would be nice). There were also horror stories about RNG entropy starvation > caused by GnuTLS.
I run a bunch of low volume mail servers (some thousand mails/day) with Debian standard packages and it works well for me. Never had issues with entropy starvation (I run haveged on my servers now, but even before I did not observe any issues like this). As of now, I believe you could achieve anything you want with the GnuTLS configuration as well (some selection features were missing some time ago), I personally use the following cipher selection: tls_require_ciphers = PFS:SECURE256:SECURE192:-3DES-CBC:-CURVE-SECP192R1:-CURVE-SECP224R1:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-NULL:+VERS-TLS1.3:-MD5:%SERVER_PRECEDENCE:%FORCE_ETM in the Exim configuration file. I use testssl.sh (https://testssl.sh/) to verify my configuration (as there is nothing handy like the Qualys Test for HTTPS, IMHO). Test result for the above cipher list is: --cut Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 Testing server preferences Has server cipher order? yes (OK) -- TLS 1.3 and below Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Cipher order TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES256-CCM AES128-GCM-SHA256 AES128-CCM TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 --cut The documentation on https://gnutls.org/manual/html_node/Priority-Strings.html is very good. There are much more (good) examples and defaults for OpenSSL cipher strings, however the general approach is very similar. This blog entry was a good start https://blog.lighttpd.net/gnutls-priority-strings.html, but it is quite outdated today (unfortunately). > I appreciate that this is borderline a Debian question, but since there are > presumably experienced users of both libraries here, do you think Exim+GnuTLS > is actually viable and that if I were to switch to the prebuilt binaries and > adapt to GnuTLSisms it would be adequate for a quiet personal server? Last time I thought about switching to a self build with OpenSSL was, when TLS1.3 was bleeding edge and not provided by the Debian packaged GnuTLS. Did'nt do it, because security patching in time by the distros team is a big plus (I would not be able to do this in time and quality). Besides this: About 85% of the incoming traffic is still unencrypted (for my statistics, mainly because some high volume mailing list servers do not use TLS), about 10% uses TLS1.3, 5% still uses TLS1.2 (I log TLS ciphers via +tls_cipher in Exim). hth, Thomas -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
