Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 26 August 2015 13:50 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0089B1B2B73 for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 06:50:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0ER4aXkeCkg for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 06:50:45 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FF91B2B30 for <saag@ietf.org>; Wed, 26 Aug 2015 06:50:45 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EFBAC284D24; Wed, 26 Aug 2015 13:50:43 +0000 (UTC)
Date: Wed, 26 Aug 2015 13:50:43 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150826135043.GU9021@mournblade.imrryr.org>
References: <20150824212907.GN9021@mournblade.imrryr.org> <619ffebb05ba4e2a9af03a6dcc768d6e@ustx2ex-dag1mb2.msg.corp.akamai.com> <20150824215037.GO9021@mournblade.imrryr.org> <9A043F3CF02CD34C8E74AC1594475C73F4AE62A1@uxcn10-5.UoA.auckland.ac.nz> <20150825134333.GX9021@mournblade.imrryr.org> <6b5167f3d0684a8a91caa6d37dec65e3@ustx2ex-dag1mb2.msg.corp.akamai.com> <20150825160627.GH9021@mournblade.imrryr.org> <55DC961A.903@cs.tcd.ie> <20150825165539.GL9021@mournblade.imrryr.org> <55DDA7E4.1090807@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <55DDA7E4.1090807@cisco.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/uBX9hd4KC0wUIlO22NkQBSLo4iE>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 13:50:47 -0000

On Wed, Aug 26, 2015 at 01:49:56PM +0200, Eliot Lear wrote:

> On 8/25/15 6:55 PM, Viktor Dukhovni wrote:
> 
> > The nasty part is that cleartext fallback is not always desirable
> > or available.  Sendmail IIRC does not fall back after STARTTLS
> > handshake failure.
> 
> Yes that's right.  Instead you get a 403 4.7.0 TLS handshake failed. 
> This is now happening all over the place, as it turns out, due to the
> recent changes to the OpenSSL library involving dh processing.

With Logjam we don't have much choice but to break compatibility
with 512-bit DH, because we're mitigating a downgrade attack.

Are there many servers out there with 512-bit DH keys not only for
export ciphers but across the board?

Sendmail uses a single set of DH parameters, rather than one set
for export and another for non-export ciphers, and perhaps it was
not entirely uncommon to configure it to use 512-bit DH parameters
across the board.

The Sendmail DH code has incorrect assumptions and corresponding
internal documentation.  It assumes wrongly that TLS clients need
to configure DH parameters.  (Sendmail could avoid loading or
generating DH parameters when running as a client).  Sendmail should
have been using the OpenSSL DH parameter callback API, rather than
setting fixed parameters for both export and non-export ciphers.

Needless to say the TLS functionality in Sendmail does not appear
to be very actively maintained. :-(

-- 
	Viktor.