How to configure Dovecot to disable NIST's curves and still rertain EECDH?

Tributh dovecot-user at tributh.net
Wed Dec 19 07:49:22 EET 2018



Am 19.12.18 um 04:39 schrieb Kurt Fitzner:
> I am interested in configuring Dovecot's TLS so as to retain forward
> secrecy, but eliminate all of NIST's elliptic curves.
> 
> Besides being subject to side channel attacks
> <https://blog.cr.yp.to/20140323-ecdsa.html>, in some quarters there is a
> general distrust of NIST's curves and any of their other cryptographic
> primitives after the Dual EC DRBG debacle.
> 
> From what I can tell, the following will prevent the use of NIST's
> curves (along with other dangerous primitives) in Dovecot, but this is
> accomplished by simply disabling EECDH entirely.
> 
> |ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH |
> 
> This should still retain forward secrecy through the use of EDH, but
> this doesn't leave much in the way of allowable algorithms on my server:
> 
> |$ openssl ciphers -V
> 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH' 0x00,0x9F -
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256)
> Mac=SHA256 0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA
> Enc=AESGCM(256) Mac=AEAD 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA
> Enc=AES(256) Mac=SHA256 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2
> Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x67 - DHE-RSA-AES128-SHA256
> TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x9C -
> AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
> 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 |
> 
> Is there a better way to do this? Is there a way to disable only the
> suspect NIST curves and still retain EECDH but with side-channel safe
> curves like X25519?
> 
> Thanks,
> 
>        Kurt Fitzner
> 
>  

Do you really plan to do this?
RFC 8446 section 9.1:
   A TLS-compliant application MUST support key exchange with secp256r1
   (NIST P-256) and SHOULD support key exchange with X25519

I think your idea could be not future proved.

Beside that, how many mail-clients will remain usable with this cipher
selection?

Torsten



More information about the dovecot mailing list