2

I have the following in my TLS configuration, but the only problem I have is that TLS_AES_128_GCM_SHA256 is a 128 bit cipher, and I would like to remove it:

smtpd_tls_eecdh_grade = ultra
smtp_tls_eecdh_grade = ultra
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384

And if I try to change tls_high_cipherlist to somehow disable the TLSv1.3 cipher, I cannot:

tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:!TLS_AES_128_GCM_SHA256

Adding !TLS_AES_128_GCM_SHA256 at the end doesn't work. How can I achieve this? Even if I add the required ciphers at the end, it won't work that way either.

I am able to do this on Apache by doing:

SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

But, I couldn't find anything related to TLSv1.3 in postfix.

The TLSv1.2 Cipher suites that my server supports:

 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 384   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 384   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 4096    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • 1
    You can't disable TLS 1.3 cipher suites, and shouldn't be trying anyway. – Michael Hampton Jan 09 '21 at 07:45
  • @MichaelHampton Why though?? Is it bad? I am able to disable it on apache.. what about postfix? –  Jan 09 '21 at 07:47
  • @EsaJokinen So, should I also enable it in my apache installation right? –  Jan 09 '21 at 08:06
  • @EsaJokinen Maybe someone should inform SSLLabs about this??? Because they interpret it as weak. They do not seem to be following RFC standards in this case, hence misguiding people who follow it. –  Jan 09 '21 at 08:14
  • @EsaJokinen, what about TLSv1.2? My server only supports some: `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` and `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 `. –  Jan 09 '21 at 08:21
  • I just compiled my comments into a complete answer. – Esa Jokinen Jan 09 '21 at 09:40

1 Answers1

2

TLS 1.3 has mandatory-to-implement cipher suites (RFC 8446, 9.1) you should not try and remove:

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).

A TLS-compliant application MUST support digital signatures with rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A TLS-compliant application MUST support key exchange with secp256r1 (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].

TLS 1.3 has already removed all weak cipher suites by design (RFC 8446, 1.2), so this is not something you should be worrying about.

Getting 100% from Qualys SSL Labs Server Test should not be your major goal. They have their own Rating Guide that specifies their scoring e.g. for Cipher Strength. They have decided that 128 bit ciphers are not worth 100%, and they do not make exceptions based on standards. However, it still gives an A+ grading.

Cipher strength Score
0 bits (no encryption) 0%
< 128 bits (e.g., 40, 56) 20%
< 256 bits (e.g., 128, 168) 80%
= 256 bits (e.g., 256) 100%

Instead, you should be focusing on a suitable tradeoff between security and compatibility.

Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Anything I am doing wrong with TLSv1.2 btw?? Just give some comments on it, i will proceed :) –  Jan 09 '21 at 10:10
  • I've linked my answers on the subject already twice and currently don't have much to add to it. :) – Esa Jokinen Jan 09 '21 at 10:21
  • And, I use `secp384r1`, but the quote you have included, states `secp256r1`, is it mandatory to use `secp256r1` if I have `secp384r1`? Btw, my RSA key size is 4096 bit, and it is from LetsEncrypt. –  Jan 09 '21 at 10:31
  • Well, I have similar setup using `secp384r1` and a 4096 bit RSA from Let's Encrypt. However, you should notice that the 4096 RSA doesn't truly add security, as long as it's signed with 2048 bit CA certificates. And that's not going to change fast. – Esa Jokinen Jan 09 '21 at 10:46
  • I just realised secp256r1 doesn't work, I think because I have a 4096 bit cert –  Jan 09 '21 at 11:00
  • ***A TLS-compliant application MUST support key exchange with secp256r1 (NIST P-256) and SHOULD support key exchange with X25519***, I have a 4096 bit cert, duh –  Jan 09 '21 at 11:01
  • I have edited my question with more info –  Jan 09 '21 at 11:10
  • That's not a good idea. I'd revert the edit and ask another question. It's impossible to keep on track and modify existing answers to meet the new criteria in a modified question. This is not a discussion forum but a Q/A site. – Esa Jokinen Jan 09 '21 at 13:23