Gilles Chehade wrote, On 06/08/14 05:40:
On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote:
Is there a way to configure smtpd to only use specified ciphers or limit it
to TLSv1.[12]?

I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's
`ssl_ciphers` or `ssl_protocols` configuration directives.

no, we don't want to make this tunable.

the rationale is that we want to propose the best encryption by default.
if there is a better choice, it should be proposed and discussed openly
as it should become the new default.

yes, it's tempting to provide ssl_ciphers but unless there's a very good
reason to do it, we won't introduce this new knob.

I must agree, I'm in favor of no knob as well.

The reason I ask is because I'm very close to failing my PCI compliance
because of smptd. They score each compliance test from 0 to 9. If any single
score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently
receiving a risk score of 3.9. I have a feeling that in the not too distant
future this particular test will fail.

My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to
information disclosure" because of the initialization vector implementations
in SSLv3 and TLSv1.0.

Thier stated resolution is:

"Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use
block ciphers."

This can certainly be improved without adding ssl_ciphers knob

How? Is there a workaround?


I'm not a mail expert, but my feeling is that secured email hasn't been
widespread until recent years. If any MTAs support encryption, they are
probably using the latest protocols and ciphers.

That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years

I stand corrected. Thanks Gilles.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Reply via email to