DANE-TA(2) private CAs and SHA-1

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

DANE-TA(2) private CAs and SHA-1

Viktor Dukhovni

By using DANE-TA(2) TLSA records you can associate your SMTP server
with a either a public or private (your own) issuer CA.  This can
simplify the management of TLSA records of multiple MX hosts by
using a CNAME to a common location where you publish the shared CA
key hash.

Some care needs to be take to make sure that certificate chains
issued by a private CA can be successfully validated by correctly
configured DANE TLS clients.

    1.  Make sure the MX hostname of the end-entity server is one of the
        names in the subjectAltName extension of the server certificate.
        This is optional for DANE-EE(3), but is required for DANE-TA(2).

        Some MX hosts are known by different names when serving
        different domains.  I don't recommend this, but can't stop
        you from doing it.  In that case, all the names should
        appear in the certificate, or (if using server-side SNI)
        each name should appear in the corresponding certificate.

    2.  Make sure that the server certificate is replaced in a
        timely manner before it expires.  This is also optional
        with DANE-EE(3), and required with DANE-TA(2).

    3.  [The motivation for this message].  Use broadly accepted
        cryptographic algorithms and parameters.  For example,
        recent versions of GnuTLS by default no longer accept SHA-1
        signatures in certificate chains.  Some versions of Exim
        that support DANE are linked with GnuTLS, and the Exim
        maintainers are not presently inclined to re-enable SHA-1
        support.  Therefore, sites using private CAs with SHA-1
        signatures may encounter problems receiving some email.
        (Public CA/B forum CAs no longer issue SHA-1 certificates.)

        For best interoperability use the SHA256 digest algorithm
        in certificate signatures.

        For best interoperability, use RSA key sizes of at least 1280 bits,
        and no more than 4096.  The most common choice is 2048-bits.

        For ECDSA, stick with NIST P-256 (OpenSSL names for this
        ECDSA curve are prime256v1 and secp256r1).

Today (after most of the small number of domains using SHA-1 with
private CAs re-issued their certificates) the DANE survey finds
only one MX host of one domain with SHA-1 private-CA signatures:

    semidefinite.de. IN MX 10 mail.semidefinite.de.

so the impact of the GnuTLS policy is low.  With a bit of luck,
this post will help others avoid the same issue, and perhaps
also the postmaster of the above domain will see it on one
of the dane-users, postfix-users or exim-users lists, so the
number of affected domains may soon be zero.