Re: TLS support

Sun, 05 Jan 2014 13:18:40 -0800 

On Sun, Jan 05, 2014 at 01:49:34PM +0100, Kurt Roeckx wrote:

> I've been looking at the current state of TLS support in postfix.
> I notice that the documentation on the website says it will
> support DANE in the 2.11 version.

Correct.  Have not yet had time to write a separate comprehensive
DANE_README.html tutorial.  Getting the underlying IETF drafts out
the door has been a higher priority.

> So one thing I've noticed is that you currently only have settings
> for dh512 and dh1024.  I would really like to see an option to
> have at least 2048 and maybe even 4096 bit DH parameters.
>
> As far as I know you can set anything in the dh512 and dh1024
> file, but the documentation doesn't make that clear.

See the whole document, but in particular the quick-start section:

    http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start

> So I've been looking at which ciphers are currently selected.  The
> documentation (TLS_README) says that log level 0 should log
> "summary message on TLS handshake completion" with 2.9.

If that is still there, that's an error, log level 0 logs nothing
about TLS.  The summary log level is log level 1.

> It would be nice that it could also say something about the (EC)DH
> parameters, and maybe about the other side's certificate.

The handshake parameters are not reported by the OpenSSL client API,
and the logging would get unwieldy.

> | When TLSA records are not found or are all unusable the effective
> | security level is "may" or "encrypt" respectively.
> 
> So does that mean:
> - No TLSA records: may
> - TLSA present but unusable: encrypt

Correct.  Hence "respectively".

> - TLSA present and usable: fingerprint for type 3 (and 1),
> or nexthop, hostname for type 2.
> 
> unusable would be a certificate contraint type is 0.

Yes, or some martian value not understood by the implementation,
or bogus digest lengths and/or invalid encodings of certificates
or public keys.

> I assume that the "trust-anchor (TA)" is type 2, and end-entity
> (EE) is type 3.

Correct.

> (I think it's all documented somewhere, but some parts are
> repeated and not exactly the same, and so it's a bit spread
> out.)

Thus the need for a DANE_README.html, any volunteers?  All the
required material is scattered about in:

    http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html
    http://www.postfix.org/postconf.5.html
    http://www.postfix.org/TLS_README.html
    http://www.postfix.org/FORWARD_SECRECY_README.html

-- 
        Viktor.

Reply via email to