Disabling TLS 1.0/1.1, is it advisable?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling TLS 1.0/1.1, is it advisable?

Bryan K. Walton-3
Apple, Google, Microsoft, and Mozilla have all announced that they will
be deprecating TLS 1.0 and 1.1 in March 2020, in their web browsers.
Similarly, SSL Labs has announced that they will be downgrading web
server scores to a maximum of B, starting in January 2020, if that
webserver supports TLS 1.0/1.1.

Now, I know that what is good for web servers/browsers, isn't
necessarily the same for SMTP servers.  For example, I've learned from
this mailing list that public facing MTAs should not require
super-strong ciphers because that may force another MTA to use
unencrypted communication:

http://postfix.1071664.n5.nabble.com/template/NamlServlet.jtp?macro=print_post&node=88919

http://postfix.1071664.n5.nabble.com/template/NamlServlet.jtp?macro=print_post&node=80355

How does the recommendation that we not REQUIRE super-strong ciphers
relate to the issue of TLS protocols?  Should we continue to allow TLS
1.0/1.1 for the same reason that we should allow weak ciphers?

Thanks!
Bryan
Reply | Threaded
Open this post in threaded view
|

Re: Disabling TLS 1.0/1.1, is it advisable?

Bastian Blank-3
On Wed, Nov 06, 2019 at 08:54:17AM -0600, Bryan K. Walton wrote:
> Apple, Google, Microsoft, and Mozilla have all announced that they will
> be deprecating TLS 1.0 and 1.1 in March 2020, in their web browsers.

Mail is not a web browser.

> Similarly, SSL Labs has announced that they will be downgrading web
> server scores to a maximum of B, starting in January 2020, if that
> webserver supports TLS 1.0/1.1.

Also, mail is not a web server.

> Now, I know that what is good for web servers/browsers, isn't
> necessarily the same for SMTP servers.  For example, I've learned from
> this mailing list that public facing MTAs should not require
> super-strong ciphers because that may force another MTA to use
> unencrypted communication:

You can do that if you at the same time _enforce_ encryption, for
example on submission.

Bastian

--
The heart is not a logical organ.
                -- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4
Reply | Threaded
Open this post in threaded view
|

Re: Disabling TLS 1.0/1.1, is it advisable?

Viktor Dukhovni
> On Nov 6, 2019, at 10:17 AM, Bastian Blank <bastian+postfix-users=[hidden email]> wrote:
>
>> Now, I know that what is good for web servers/browsers, isn't
>> necessarily the same for SMTP servers.  For example, I've learned from
>> this mailing list that public facing MTAs should not require
>> super-strong ciphers because that may force another MTA to use
>> unencrypted communication:
>
> You can do that if you at the same time _enforce_ encryption, for
> example on submission.

A floor of TLS 1.2 for mandatory inbound TLS (essentially just
submission) is not unreasonable:

  smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

And yet it is perhaps still too early to disable TLSv1 for opportunistic
TLS.  Even among security-conscious SMTP servers that have DANE TLSA
records (solicit mandatory inbound encryption), some still only support
TLSv1.  In the DANE survey dataset counting frequencies of protocol version
by unique SMTP server name offering at most that protocol I see:

 IPv4:
    32 TLS10
  3086 TLS12
  3095 TLS13

 IPv6:
    14 TLSv1
  1559 TLSv1.2
  1713 TLSv1.3

So around 0.5% of DANE-enabled SMTP servers support only TLSv1.  I'd
hazard a guess that the rate is higher among SMTP servers in general.

Sadly, this means that even:

   # Not yet!
   # smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

is likely premature.  And even though nobody seems to have a need for
TLSv1.1, definitely avoid:

   # Bad idea. OpenSSL does not handle "protocol holes" in the way
   # you'd expect, you end up enabling only the protocols below the
   # first "hole"!
   #
   # DO NOT DO THIS!  It amounts to enabling only "TLSv1".
   #
   # smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Disabling TLS 1.0/1.1, is it advisable?

Blake Hudson
In reply to this post by Bryan K. Walton-3
I found that when clients are using common software like Windows 7 and
Windows Live Mail, Outlook 2013, or recent versions of Thunderbird you
are still likely to see TLS 1.0 connections. If your mail server only
serves an organization where you control the client software you could
probably move to TLS1.2 (and above) on your submission service with
little effort. If you provide mail as an ISP and don't control client
software/versions and want to be generous in what you accept, you might
have to leave TLS 1.0 enabled a while longer on the submission service.

On port 25 server to server connections, I agree with the sentiments of
others on this thread and think disabling TLS1.0/1.1 is a bit premature
at this time for most organizations.

--Blake

Bryan K. Walton wrote on 11/6/2019 8:54 AM:

> Apple, Google, Microsoft, and Mozilla have all announced that they will
> be deprecating TLS 1.0 and 1.1 in March 2020, in their web browsers.
> Similarly, SSL Labs has announced that they will be downgrading web
> server scores to a maximum of B, starting in January 2020, if that
> webserver supports TLS 1.0/1.1.
>
> Now, I know that what is good for web servers/browsers, isn't
> necessarily the same for SMTP servers.  For example, I've learned from
> this mailing list that public facing MTAs should not require
> super-strong ciphers because that may force another MTA to use
> unencrypted communication:
>
> http://postfix.1071664.n5.nabble.com/template/NamlServlet.jtp?macro=print_post&node=88919
>
> http://postfix.1071664.n5.nabble.com/template/NamlServlet.jtp?macro=print_post&node=80355
>
> How does the recommendation that we not REQUIRE super-strong ciphers
> relate to the issue of TLS protocols?  Should we continue to allow TLS
> 1.0/1.1 for the same reason that we should allow weak ciphers?
>
> Thanks!
> Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Disabling TLS 1.0/1.1, is it advisable?

Bryan K. Walton-3
On Wed, Nov 06, 2019 at 11:16:17AM -0600, Blake Hudson wrote:
>
> On port 25 server to server connections, I agree with the sentiments of
> others on this thread and think disabling TLS1.0/1.1 is a bit premature at
> this time for most organizations.

Thanks, Victor and Blake! Your replies answered my question.  We will leave
TLS 1.0/1.1 enabled on our public server to server connections, and begin
to phase out these versions on our internal server connections and
submission ports.

-Bryan