On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote: > Is there a way to configure smtpd to only use specified ciphers or limit it > to TLSv1.[12]? > > I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's > `ssl_ciphers` or `ssl_protocols` configuration directives. >
no, we don't want to make this tunable. the rationale is that we want to propose the best encryption by default. if there is a better choice, it should be proposed and discussed openly as it should become the new default. yes, it's tempting to provide ssl_ciphers but unless there's a very good reason to do it, we won't introduce this new knob. > The reason I ask is because I'm very close to failing my PCI compliance > because of smptd. They score each compliance test from 0 to 9. If any single > score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently > receiving a risk score of 3.9. I have a feeling that in the not too distant > future this particular test will fail. > > My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to > information disclosure" because of the initialization vector implementations > in SSLv3 and TLSv1.0. > > Thier stated resolution is: > > "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. > Configure SSL/TLS servers to only support cipher suites that do not use > block ciphers." > This can certainly be improved without adding ssl_ciphers knob > I'm not a mail expert, but my feeling is that secured email hasn't been > widespread until recent years. If any MTAs support encryption, they are > probably using the latest protocols and ciphers. > That's not correct no, I get plenty of TLS 1.0 trafic and it has been the case for many years -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org