Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

robgane
SHA1 cert signing is (being) deprecated

  https://www.entrust.com/sha-1-2017/

So SHA1-signed certs < BAD!

Does that apply at all for ciphers using Mac=SHA1?

I don't *think* it does.  And I don't find anything that says it does.  Or doesn't , as far as that goes.

In my postfix logs, I still see use of

          0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
          0xC0,0x19 - AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
          0xC0,0x14 - ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
          0x00,0x3A - ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
          0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
          0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1

And in the HIGH + MEDIUM cipherlist I use in postfix,

  openssl ciphers -V 'HIGH:MEDIUM:' | grep SHA1 | wc -l
    40

there's still 40 ciphers with Mac=SHA1.

Just wanted to verify if the problem is just with cert-signing, or a more general useage of SHA1 in any way, in the content of Postfix.

Rob

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

Viktor Dukhovni
On Wed, Aug 02, 2017 at 08:30:21AM -0700, [hidden email] wrote:

> SHA1 cert signing is (being) deprecated

By the CAs, so you don't need to take any action.  With all the
trusted CAs no longer issuing SHA-1 certs, pretty soon all the
extant SHA-1 certs will expire, and there'll be nothing to
enforce.

> So SHA1-signed certs < BAD!

Don't panic.  SHA-1 has been tarnished and is being phased out,
but there are no practical near-term attacks on X.509.  The the
browsers and CAs are driving it out of the ecosystem early,
which is a good idea, but there's no need for SMTP MTAs to
be part of the police squad deporting SHA-1.

> I don't *think* it does.  And I don't find anything that says it does.  Or doesn't , as far as that goes.
>
> In my postfix logs, I still see use of
>
>           0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>           0xC0,0x19 - AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
>           0xC0,0x14 - ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
>           0x00,0x3A - ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
>           0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
>           0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1

This is SHA-1 as a keyed MAC for TLS message integrity, not SHA-1
in certificates.  No better MAC is available for TLS 1.0 and 1.1,
for SHA2 ciphersuites you need TLS 1.2, which has not yet driven
out its predecessors.  SHA-1 as a keyed MAC (HMAC IIRC) is not
believed vulnerable to collision attacks.

> And in the HIGH + MEDIUM cipherlist I use in postfix,
>
>   openssl ciphers -V 'HIGH:MEDIUM:' | grep SHA1 | wc -l
>     40
>
> there's still 40 ciphers with Mac=SHA1.
>
> Just wanted to verify if the problem is just with cert-signing, or a more
> general useage of SHA1 in any way, in the content of Postfix.

If there were a real problem, the onus to deprecate the weak code
points would be on OpenSSL and to some extent Postfix.  As a user
you really should not be working so hard to optimize for security.

Indeed such efforts are often counterproductive.  If you're doing
opportunistic TLS, then TLS gives you the strongest mutually
supported ciphersuite.  Some security is better than none, if
you exclude weaker, but still widely best-available ciphers then
you get cleartext delivery instead.

    https://tools.ietf.org/html/rfc7435

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

robgane


On Wed, Aug 2, 2017, at 11:01 AM, Viktor Dukhovni wrote:
> This is SHA-1 as a keyed MAC for TLS message integrity, not SHA-1
> in certificates.

Yep

> No better MAC is available for TLS 1.0 and 1.1,
> for SHA2 ciphersuites you need TLS 1.2, which has not yet driven
> out its predecessors.

That settles it in any case.  I leave it alone.

> SHA-1 as a keyed MAC (HMAC IIRC) is not
> believed vulnerable to collision attacks.

Good to know

> If there were a real problem, the onus to deprecate the weak code
> points would be on OpenSSL and to some extent Postfix.  As a user
> you really should not be working so hard to optimize for security.

I'll keep it up to understand it.  Happy to use defaults as long as I understand them and the implications.

Wouldn't be the first time there was an "onus" on somebody to do something, and it wasn't.

Trust but verify!

> If you're doing opportunistic TLS

For this project, I'm not as of this morning.  Switched to Mandatory TLS.

Now just working on getting a good understanding of what's what when using it.
Loading...