<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<div class="post-text">
<p>I am interested in configuring Dovecot's TLS so as to retain forward secrecy, but eliminate all of NIST's elliptic curves.</p>
<p>Besides being <a href="https://blog.cr.yp.to/20140323-ecdsa.html" rel="nofollow noreferrer">subject to side channel attacks</a>, in some quarters there is a general distrust of NIST's curves and any of their other cryptographic primitives after the Dual EC DRBG debacle.</p>
<p>From what I can tell, the following will prevent the use of NIST's curves (along with other dangerous primitives) in Dovecot, but this is accomplished by simply disabling EECDH entirely.</p>
<pre><code>ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH
</code></pre>
<p>This should still retain forward secrecy through the use of EDH, but this doesn't leave much in the way of allowable algorithms on my server:</p>
<pre><code>$ openssl ciphers -V 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH'
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
0x00,0x9C - AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
</code></pre>
<p>Is there a better way to do this? Is there a way to disable only the suspect NIST curves and still retain EECDH but with side-channel safe curves like X25519?</p>
<p>Thanks,</p>
<p> Kurt Fitzner</p>
<p> </p>
</div>
</body></html>