Created
September 6, 2018 15:58
-
-
Save gwire/f9e939db361dd499156d7c440024d993 to your computer and use it in GitHub Desktop.
Remove weak elliptic curves from Exim
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## remove ECDHE support for curves less under 256 bits | |
tls_require_ciphers = ${if =={$received_port}{25}{NORMAL:%COMPAT:%SERVER_PRECEDENCE:-CURVE-SECP192R1:-CURVE-SECP224R1}{PFS:-DHE-RSA:-3DES-CBC:-CURVE-SECP192R1:-CURVE-SECP224R1}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was asked to remove elliptic curves under 256 bits from an Exim installation built with GnuTLS. I'm not knowledgeable enough to advise how urgent the need for removing these curves are. They are still recommended for interoperability by RFC 5480 (from 2009). ECC 192 is in the
LEGACY
profile, and ECC 224 is in theMEDIUM
profile (equivalent to 2048 bit RSA, see GnTLS: Selecting cryptographic key sizes).For maximum compatibility for port 25 delivery we use the
NORMAL
keyword (see the gnutls manual) and disable the curves using"-CURVE-curveid"
We determine which curves to disable by listing them, and removing the ones with numbers less than 256 in the name.