[exim.git] / doc / doc-txt / GnuTLS-FAQ.txt

Using Exim 4.80+ with GnuTLS
============================

(1) I'm having problems building with GnuTLS 1, why?
(2) What changed?  Why?
(3) I'm seeing:
    "(gnutls_handshake): A TLS packet with unexpected length was received"
    Why?
(4) What's the deal with MD5?
(5) What happened to gnutls_require_kx / gnutls_require_mac /
    gnutls_require_protocols?
(6) What's the deal with tls_dh_max_bits?  What's DH?
(7) What's a Priority String?
(8) How do I use tls_require_ciphers?
(9) How do I test STARTTLS support?


(1): I'm having problems building with GnuTLS 1, why?
-----------------------------------------------------

GnuTLS's library interface has changed and Exim uses the more current
interface.  Since GnuTLS is security critical code, you should probably update
to a supported release.

If updating GnuTLS is not an option, then build Exim against OpenSSL instead.

If neither is an option, then you might build Exim with the rule
"SUPPORT_TLS=yes" commented out in "Local/Makefile", so that your Exim build
no longer has TLS support.

If you need to keep TLS support, and you can't use OpenSSL, then you'll have
to update the GnuTLS you have installed.  Sorry.

We've tested the build of Exim back as far as GnuTLS 2.8.x; most development
work is done with 2.12 and tested on 2.10 and 3.x.

If you have to pick a version to upgrade to, use GnuTLS 3.x if available.  The
GnuTLS developers took advantage of the version bump to add an error code
return value which makes debugging some problems a lot easier.


(2): What changed?  Why?
------------------------

The GnuTLS provider integration in Exim was overhauled, rewritten but with
some copy/paste, because building Exim against more current releases of GnuTLS
was issuing deprecation warnings from the compiler.

When a library provider marks up the include files so that some function calls
will cause the compiler/linker to emit deprecation warnings, it's time to pay
serious attention.  A future release might not work at all.  Using the new
APIs may mean that Exim will *stop* working with older releases of GnuTLS.
The GnuTLS support in Exim was overhauled in Exim 4.80.  In prior releases,
Exim hard-coded a lot of algorithms and constrained what could happen.  In
Exim 4.79, we added to the hard-coded list just enough to let TLSv1.1 and
TLSv1.2 be negotiated, but not actually support the mandatory algorithms of
those protocol versions.  When Exim's GnuTLS integration was originally
written, there was no other choice than to make Exim responsible for a lot of
this.  In the meantime, GnuTLS has improved.

With the rewrite, we started using the current API and leaving a lot more
responsibility for TLS decisions to the library.

The GnuTLS developers added "priority strings" (see Q7), which provide an
interface exposed to the configuration file for a lot of the tuning.

The GnuTLS policy is to no longer support MD5 in certificates.  Exim had
previously been immune to this policy, but no longer.  See Q4.


(3): I'm seeing "A TLS packet with unexpected length was received".  Why?
-------------------------------------------------------------------------

The most likely reason is that the client dropped the connection during
handshake, because their library disliked some aspect of the negotiation.

In GnuTLS 2, an EOF on the connection is reported with an error code for
packets being too large, and the above is the string returned by the library
for that error code.  In GnuTLS 3, there's a specific error code for EOF and
the diagnostic will be less confusing.

Most likely cause is an MD5 hash used in a certificate.  See Q4 below.
Alternatively, the client dislikes the size of the Diffie-Hellman prime
offered by the server; if lowering the value of the "tls_dh_max_bits" Exim
option fixes the problem, this was the cause.  See Q6.


(4): What's the deal with MD5?
------------------------------

MD5 is a hash algorithm.  Hash algorithms are used to reduce a lot of data
down to a fairly short value, which is supposed to be extremely hard to
manipulate to get a value of someone's choosing.  Signatures, used to attest
to identity or integrity, rely upon this manipulation being effectively
impossible, because the signature is the result of math upon the hash result.
Without hash algorithms, signatures would be longer than the text being
signed.

MD5 was once very popular.  It still is far too popular.  Real world attacks
have been proven possible against MD5.  Including an attack against PKI
(Public Key Infrastructure) certificates used for SSL/TLS.  In that attack,
the attackers got a certificate for one identity but we able to then public a
certificate with the same signature but a different identity.  This undermines
the whole purpose of having certificates.

So GnuTLS stopped trusting any certificate with an MD5-based hash used in it.
The world has been hurriedly moving away from MD5 in certificates for a while.
If you still have such a certificate, you should move too.

If you paid someone for your certificate, they should be willing to reissue
the certificate with a different algorithm, for no extra money.  If they try
to charge money to replace their defective product, buy from someone else
instead.  Part of the reason for paying money on a recurring basis is to cover
the ongoing costs of proving a trust relationship, such as providing
revocation protocols.  This is just another of those ongoing costs you have
already paid for.


(5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols?
---------------------------------------------------------------------------

These Exim options were used to provide fine-grained control over the TLS
negotiation performed by GnuTLS.  They required explicit protocol knowledge
from Exim, which vastly limited what GnuTLS could do and involved the Exim
maintainers in decisions which aren't part of their professional areas of
expertise.  The need for Exim to be able to do this went away when GnuTLS
introduced Priority Strings (see Q7).

If you were using these options before, then you're already an expert user and
should be able to easily craft a priority string to accomplish your goals.
Set the Exim "tls_require_ciphers" value accordingly.  There is a main section
option of this name, used for Exim receiving inbound connections, and an SMTP
driver transport option of this name, used for Exim establishing outbound
connections.


(6): What's the deal with tls_dh_max_bits?  What's DH?
------------------------------------------------------

DH, Diffie-Hellman (or Diffie-Hellman-Merkle, or something naming Williamson)
is the common name for a way for two parties to a communication stream to
exchange some private random data so that both end up with a shared secret
which no evesdropper can get.  It does not provide for proof of the identity
of either party, so on its own is subject to man-in-the-middle attacks, but is
often combined with systems which do provide such proof, improving them by
separating the session key (the shared secret) from the long-term identity,
and so protecting past communications from a break of the long-term identity.

To do this, the server sends to the client a very large prime number; this is
in the clear, an attacker can see it.  This is not a problem; it's so not a
problem, that there are standard named primes which applications can use, and
which a future release of Exim will probably support.

The size of the prime number affects how difficult it is to break apart the
shared secret and decrypt the data.  As time passes, the size required to
provide protection against an adversary climbs: computers get more powerful,
mathematical advances are made, and so on.

Estimates of the size needed are published as recommendations by various
groups; a good summary of sizes currently recommended, for various
cryptographic primitives, is available at:

  http://www.keylength.com/en/3/

The GnuTLS folks think the ECRYPT II advice is good.  They know far more of
such matters than the Exim folks, we just say "er, what they said".

One of the new pieces of the GnuTLS API is a means for an application to ask
it for guidance and advice on how large some numbers should be.  This is not
entirely internal to GnuTLS since generating the numbers is slow, an
application might want to use a standard prime, etc.  So, in an attempt to get
away from being involved in cryptographic policy, and to get rid of a
hard-coded "1024" in Exim's source-code, we switched to asking GnuTLS how many
bits should be in the prime number generated for use for Diffie-Hellman.  To
give back to GnuTLS for use  We can ask for various sizes, and did not expose
this to the administrator but instead just asked for "NORMAL" protection.
Literally:

 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);

This API is only available as of GnuTLS 2.12.  Prior to that release, we stuck
with the old value, for compatibility, so "1024" is still hard-coded.
Reviewing the page above, you'll see that this is described as "Short-term
protection against medium organizations, medium-term protection against small
organizations."

So if you are using an old release of GnuTLS, you can either add to
Local/Makefile a different value of "EXIM_SERVER_DH_BITS_PRE2_12" or accept
that your protection might not be adequate to your needs.  We advise updating
to a more current GnuTLS release and rebuilding Exim against that.

Unfortunately, some TLS libraries have the client side bound how large a DH
prime they will accept from the server.  The larger the number, the more
computation required to work with it and the slower that things get.  So they
pick what they believe to be reasonable upper bounds, and then typically
forget about it for several years.

Worse, in TLS the DH negotiation happens after a ciphersuite has been chosen,
so if the client dislikes the value then a different ciphersuite avoiding DH
can not be negotiated!  The client typically drops the connection, resulting
in errors to the user and errors in the Exim logs.  With GnuTLS 3, you'll see
the EOF (End-Of-File) error message in Exim's logs, reported as being part of
"gnutls_handshake", but with GnuTLS 2 you'll see a log message about a packet
with an unexpected size.  Unless the client software is written intelligently
enough to be able to adapt and reconnect forbidding DH, the client will never
be able to negotiate TLS.

This time around, we discovered that the NSS library used by various Mozilla
products, Chrome, etc, and most particularly by the Thunderbird mail client,
has the lowest cap.  In fact, prior to recent updates, their upper limit was
lower than the value returned by GnuTLS for "NORMAL".  The most recent NSS
library release raises this, but the most recent Thunderbird release still has
the old limit.

So Exim had to get involved in cryptography policy decisions again.  We added
the "tls_dh_max_bits" global option, to set a number used in both OpenSSL and
GnuTLS bindings for Exim.  In GnuTLS, it clamps the value returned by
gnutls_sec_param_to_pk_bits(), so that if the returned value is larger than
tls_dh_max_bits then tls_dh_max_bits would be used instead.

Our policy decision was to default the value of tls_dh_max_bits to the maximum
supported in the most recent Thunderbird release, and to make this an
administrator-available option so that administrators can choose to trade off
security versus compatibility by raising it.

A future release of Exim may even let the administrator tell GnuTLS to ask for
more or less than "NORMAL".

A TLS client does not get to choose the DH prime used, but can choose a
minimum acceptable value.  For Exim, this is a compile-time constant called
"EXIM_CLIENT_DH_MIN_BITS" of 1024, which can be overruled in "Local/Makefile".


(7): What's a Priority String?
------------------------------

A priority string is a way for a user of GnuTLS to tell GnuTLS how it should
make decisions about what to do in TLS; it includes which algorithms to make
available for various roles, what compatibility trade-offs to make, which
features to enable or disable.

It is exposed to the Mail Administrator in Exim's configuration file as the
"tls_require_ciphers" option, which exists as a main section option for use in
Exim as a server, accepting connections, and as an option on Transports using
the SMTP driver, for use in Exim as a client.  The main section option is
*not* the default for the transport option, they are entirely independent.
For both, the default value used by Exim is the string "NORMAL".  (This is not
the same NORMAL as for DH prime bit size selection in Q6, but a different
NORMAL.)  See Q8.

The current documentation, for the most recent release of GnuTLS, is available
online at:

  http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html

Beware that if you are not using the most recent GnuTLS release then this
documentation will be wrong for you!  You should find the "info" documentation
which came with GnuTLS to review the available options.  It's under "The TLS
Handshake Protocol".

$ pinfo --node="Priority Strings" gnutls

(This author is unable to persuade the "info" command-line tool to jump
straight to the required node, but "pinfo" works.)

To trade off some security for more compatibility, you might set a value of
"NORMAL:%COMPAT".  See the documentation for more, including lowering security
even further for more security, forcing clients to use the server's protocol
suite, and ways to force selection of particular algorithms.


(8): How do I use tls_require_ciphers?
--------------------------------------

This is the name of two options in Exim.  One is a main section option, used
by Exim as a server when a client initiates SSL/TLS negotiation, the other is
an option on transports which use "driver = smtp", used when Exim initiates
SSL/TLS as a client talking to a remote server.

The option is expanded and so can take advantage of any variables which have
been set.  This includes the IP address of the remote side, the port upon
which a connection was accepted (when a server), and more.  Currently it does
not have access to $tls_sni, whether as a client or as a server.

This example, for the main section's option, will let the library defaults be
permitted on the MX port, where there's probably no identity verification
anyway, and lowers security further by increasing compatibility; but this ups
the ante on the submission ports where the administrator might have some
influence on the choice of clients used:

tls_require_ciphers = ${if =={$received_port}{25}\
                           {NORMAL:%COMPAT}\
                           {SECURE128}}

Note that during Exim start-up, when this option is sanity-checked, there will
be no value of $received_port.  In the above example, the checked value will
thus be "SECURE128".  Be careful to ensure that it always expands safely.


(9): How do I test STARTTLS support?
------------------------------------

The best command-line client for debugging specifically SSL/TLS which this
author has encountered is part of the GnuTLS suite, and is called
"gnutls-cli".  It's best because it's the only interactive tool which lets the
user start TLS handshake exactly when they wish, so can choose to use the
STARTTLS command.

$ gnutls-cli --starttls --crlf --port 587 mail.example.org

After EHLO, to see the capabilities, enter STARTTLS, wait for the response,
then send EOF.  Typically that's done by typing Ctrl-D at the start of a line.
The "gnutls-cli" tool will take over, set up TLS (or fail) and by the time it
returns to await more user input, you're using a secure connection and should
type your second EHLO.

The "--x509cafile" option may be helpful for checking certificates and
"--priority" to pass a priority string to the client tool for configuring it.

The --crlf is for strict protocol correctness, but Exim doesn't really need
it, so "gnutls-cli -s -p 587 mail.example.org" is shorter.


For debugging SMTP as a whole, we recommend swaks, "Swiss Army Knife SMTP", by
John Jetmore (one of the Exim Maintainers).  This has some TLS tuning options;
it can be found at:

  http://www.jetmore.org/john/code/swaks/


For OpenSSL, the "openssl s_client" command helps; you can either set up Exim
with a listening port which is SSL-on-connect or tell s_client to use
STARTTLS.

For the former, use the "tls_on_connect_ports" option and the
"daemon_smtp_ports" option.  Most clients for SSL-on-connect use the port
which was briefly registered with IANA for this purpose, 465.  So you would
set something like:

  daemon_smtp_ports = 25 : 465 : 587
  tls_on_connect_ports = 465

To use s_client with STARTTLS support, use "-starttls smtp" on the
command-line.  Beware that older versions of OpenSSL did not wait for the SMTP
banner before sending EHLO, which will fall afoul of the protocol
synchronisation checks in Exim (used to trip up pump-and-dump spammers); also
you will not get control of the session until TLS is established.  That said,
this tool provides more tuning hooks for adjusting how TLS will be set up than
most.

*BEWARE* that by default, s_client will take any line starting with a capital
letter "R" to be a request to initiate TLS renegotiation with the server and
the line will not be sent.  This may trip up "RCPT TO:<someone@example.org>"
lines in SMTP.  SMTP is not case-sensitive, so type "rcpt to" instead.
Alternatively, invoke s_client with the "-ign_eof" option to disable this
R-filtering and a few other features.


# END OF FAQ
Commit	Line	Data
51fb80db PP	1	Using Exim 4.80+ with GnuTLS
	2	============================
	3
	4	(1) I'm having problems building with GnuTLS 1, why?
	5	(2) What changed? Why?
	6	(3) I'm seeing:
	7	"(gnutls_handshake): A TLS packet with unexpected length was received"
	8	Why?
	9	(4) What's the deal with MD5?
	10	(5) What happened to gnutls_require_kx / gnutls_require_mac /
	11	gnutls_require_protocols?
	12	(6) What's the deal with tls_dh_max_bits? What's DH?
	13	(7) What's a Priority String?
	14	(8) How do I use tls_require_ciphers?
	15	(9) How do I test STARTTLS support?
	16
	17
	18
	19	(1): I'm having problems building with GnuTLS 1, why?
	20	-----------------------------------------------------
	21
	22	GnuTLS's library interface has changed and Exim uses the more current
	23	interface. Since GnuTLS is security critical code, you should probably update
	24	to a supported release.
	25
	26	If updating GnuTLS is not an option, then build Exim against OpenSSL instead.
	27
	28	If neither is an option, then you might build Exim with the rule
	29	"SUPPORT_TLS=yes" commented out in "Local/Makefile", so that your Exim build
	30	no longer has TLS support.
	31
	32	If you need to keep TLS support, and you can't use OpenSSL, then you'll have
	33	to update the GnuTLS you have installed. Sorry.
	34
	35	We've tested the build of Exim back as far as GnuTLS 2.8.x; most development
	36	work is done with 2.12 and tested on 2.10 and 3.x.
	37
	38	If you have to pick a version to upgrade to, use GnuTLS 3.x if available. The
	39	GnuTLS developers took advantage of the version bump to add an error code
	40	return value which makes debugging some problems a lot easier.
	41
	42
	43
	44	(2): What changed? Why?
	45	------------------------
	46
	47	The GnuTLS provider integration in Exim was overhauled, rewritten but with
	48	some copy/paste, because building Exim against more current releases of GnuTLS
	49	was issuing deprecation warnings from the compiler.
	50
	51	When a library provider marks up the include files so that some function calls
	52	will cause the compiler/linker to emit deprecation warnings, it's time to pay
	53	serious attention. A future release might not work at all. Using the new
	54	APIs may mean that Exim will stop working with older releases of GnuTLS.
	55	The GnuTLS support in Exim was overhauled in Exim 4.80. In prior releases,
	56	Exim hard-coded a lot of algorithms and constrained what could happen. In
	57	Exim 4.79, we added to the hard-coded list just enough to let TLSv1.1 and
	58	TLSv1.2 be negotiated, but not actually support the mandatory algorithms of
	59	those protocol versions. When Exim's GnuTLS integration was originally
	60	written, there was no other choice than to make Exim responsible for a lot of
	61	this. In the meantime, GnuTLS has improved.
	62
	63	With the rewrite, we started using the current API and leaving a lot more
	64	responsibility for TLS decisions to the library.
65
66	The GnuTLS developers added "priority strings" (see Q7), which provide an
67	interface exposed to the configuration file for a lot of the tuning.
68
69	The GnuTLS policy is to no longer support MD5 in certificates. Exim had
70	previously been immune to this policy, but no longer. See Q4.
71
72
73
74	(3): I'm seeing "A TLS packet with unexpected length was received". Why?
75	-------------------------------------------------------------------------
76
77	The most likely reason is that the client dropped the connection during
78	handshake, because their library disliked some aspect of the negotiation.
79
80	In GnuTLS 2, an EOF on the connection is reported with an error code for
81	packets being too large, and the above is the string returned by the library
82	for that error code. In GnuTLS 3, there's a specific error code for EOF and
83	the diagnostic will be less confusing.
84
85	Most likely cause is an MD5 hash used in a certificate. See Q4 below.
86	Alternatively, the client dislikes the size of the Diffie-Hellman prime
87	offered by the server; if lowering the value of the "tls_dh_max_bits" Exim
88	option fixes the problem, this was the cause. See Q6.
89
90
91
92	(4): What's the deal with MD5?
93	------------------------------
94
95	MD5 is a hash algorithm. Hash algorithms are used to reduce a lot of data
96	down to a fairly short value, which is supposed to be extremely hard to
97	manipulate to get a value of someone's choosing. Signatures, used to attest
98	to identity or integrity, rely upon this manipulation being effectively
99	impossible, because the signature is the result of math upon the hash result.
100	Without hash algorithms, signatures would be longer than the text being
101	signed.
102
103	MD5 was once very popular. It still is far too popular. Real world attacks
104	have been proven possible against MD5. Including an attack against PKI
105	(Public Key Infrastructure) certificates used for SSL/TLS. In that attack,
106	the attackers got a certificate for one identity but we able to then public a
107	certificate with the same signature but a different identity. This undermines
108	the whole purpose of having certificates.
109
110	So GnuTLS stopped trusting any certificate with an MD5-based hash used in it.
111	The world has been hurriedly moving away from MD5 in certificates for a while.
112	If you still have such a certificate, you should move too.
113
114	If you paid someone for your certificate, they should be willing to reissue
115	the certificate with a different algorithm, for no extra money. If they try
116	to charge money to replace their defective product, buy from someone else
117	instead. Part of the reason for paying money on a recurring basis is to cover
118	the ongoing costs of proving a trust relationship, such as providing
119	revocation protocols. This is just another of those ongoing costs you have
120	already paid for.
121
122
123
124	(5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols?
125	---------------------------------------------------------------------------
126
127	These Exim options were used to provide fine-grained control over the TLS
128	negotiation performed by GnuTLS. They required explicit protocol knowledge
129	from Exim, which vastly limited what GnuTLS could do and involved the Exim
130	maintainers in decisions which aren't part of their professional areas of
131	expertise. The need for Exim to be able to do this went away when GnuTLS
132	introduced Priority Strings (see Q7).
133
134	If you were using these options before, then you're already an expert user and
135	should be able to easily craft a priority string to accomplish your goals.
136	Set the Exim "tls_require_ciphers" value accordingly. There is a main section
137	option of this name, used for Exim receiving inbound connections, and an SMTP
138	driver transport option of this name, used for Exim establishing outbound
139	connections.
140
141
142
143	(6): What's the deal with tls_dh_max_bits? What's DH?
144	------------------------------------------------------
145
146	DH, Diffie-Hellman (or Diffie-Hellman-Merkle, or something naming Williamson)
147	is the common name for a way for two parties to a communication stream to
148	exchange some private random data so that both end up with a shared secret
149	which no evesdropper can get. It does not provide for proof of the identity
150	of either party, so on its own is subject to man-in-the-middle attacks, but is
151	often combined with systems which do provide such proof, improving them by
152	separating the session key (the shared secret) from the long-term identity,
153	and so protecting past communications from a break of the long-term identity.
154
155	To do this, the server sends to the client a very large prime number; this is
156	in the clear, an attacker can see it. This is not a problem; it's so not a
157	problem, that there are standard named primes which applications can use, and
158	which a future release of Exim will probably support.
159
160	The size of the prime number affects how difficult it is to break apart the
161	shared secret and decrypt the data. As time passes, the size required to
162	provide protection against an adversary climbs: computers get more powerful,
163	mathematical advances are made, and so on.
164
165	Estimates of the size needed are published as recommendations by various
166	groups; a good summary of sizes currently recommended, for various
167	cryptographic primitives, is available at:
168
169	http://www.keylength.com/en/3/
170
171	The GnuTLS folks think the ECRYPT II advice is good. They know far more of
172	such matters than the Exim folks, we just say "er, what they said".
173
174	One of the new pieces of the GnuTLS API is a means for an application to ask
175	it for guidance and advice on how large some numbers should be. This is not
176	entirely internal to GnuTLS since generating the numbers is slow, an
177	application might want to use a standard prime, etc. So, in an attempt to get
178	away from being involved in cryptographic policy, and to get rid of a
179	hard-coded "1024" in Exim's source-code, we switched to asking GnuTLS how many
180	bits should be in the prime number generated for use for Diffie-Hellman. To
181	give back to GnuTLS for use We can ask for various sizes, and did not expose
182	this to the administrator but instead just asked for "NORMAL" protection.
183	Literally:
184
185	dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
186
187	This API is only available as of GnuTLS 2.12. Prior to that release, we stuck
188	with the old value, for compatibility, so "1024" is still hard-coded.
189	Reviewing the page above, you'll see that this is described as "Short-term
190	protection against medium organizations, medium-term protection against small
191	organizations."
192
193	So if you are using an old release of GnuTLS, you can either add to
194	Local/Makefile a different value of "EXIM_SERVER_DH_BITS_PRE2_12" or accept
195	that your protection might not be adequate to your needs. We advise updating
196	to a more current GnuTLS release and rebuilding Exim against that.
197
198	Unfortunately, some TLS libraries have the client side bound how large a DH
199	prime they will accept from the server. The larger the number, the more
200	computation required to work with it and the slower that things get. So they
201	pick what they believe to be reasonable upper bounds, and then typically
202	forget about it for several years.
203
204	Worse, in TLS the DH negotiation happens after a ciphersuite has been chosen,
205	so if the client dislikes the value then a different ciphersuite avoiding DH
206	can not be negotiated! The client typically drops the connection, resulting
207	in errors to the user and errors in the Exim logs. With GnuTLS 3, you'll see
208	the EOF (End-Of-File) error message in Exim's logs, reported as being part of
209	"gnutls_handshake", but with GnuTLS 2 you'll see a log message about a packet
210	with an unexpected size. Unless the client software is written intelligently
211	enough to be able to adapt and reconnect forbidding DH, the client will never
212	be able to negotiate TLS.
213
214	This time around, we discovered that the NSS library used by various Mozilla
215	products, Chrome, etc, and most particularly by the Thunderbird mail client,
216	has the lowest cap. In fact, prior to recent updates, their upper limit was
217	lower than the value returned by GnuTLS for "NORMAL". The most recent NSS
218	library release raises this, but the most recent Thunderbird release still has
219	the old limit.
220
221	So Exim had to get involved in cryptography policy decisions again. We added
222	the "tls_dh_max_bits" global option, to set a number used in both OpenSSL and
223	GnuTLS bindings for Exim. In GnuTLS, it clamps the value returned by
224	gnutls_sec_param_to_pk_bits(), so that if the returned value is larger than
225	tls_dh_max_bits then tls_dh_max_bits would be used instead.
226
227	Our policy decision was to default the value of tls_dh_max_bits to the maximum
228	supported in the most recent Thunderbird release, and to make this an
229	administrator-available option so that administrators can choose to trade off
230	security versus compatibility by raising it.
231
232	A future release of Exim may even let the administrator tell GnuTLS to ask for
233	more or less than "NORMAL".
234
235	A TLS client does not get to choose the DH prime used, but can choose a
236	minimum acceptable value. For Exim, this is a compile-time constant called
237	"EXIM_CLIENT_DH_MIN_BITS" of 1024, which can be overruled in "Local/Makefile".
238
239
240
241	(7): What's a Priority String?
242	------------------------------
243
244	A priority string is a way for a user of GnuTLS to tell GnuTLS how it should
245	make decisions about what to do in TLS; it includes which algorithms to make
246	available for various roles, what compatibility trade-offs to make, which
247	features to enable or disable.
248
249	It is exposed to the Mail Administrator in Exim's configuration file as the
250	"tls_require_ciphers" option, which exists as a main section option for use in
251	Exim as a server, accepting connections, and as an option on Transports using
252	the SMTP driver, for use in Exim as a client. The main section option is
253	not the default for the transport option, they are entirely independent.
254	For both, the default value used by Exim is the string "NORMAL". (This is not
255	the same NORMAL as for DH prime bit size selection in Q6, but a different
256	NORMAL.) See Q8.
257
258	The current documentation, for the most recent release of GnuTLS, is available
259	online at:
260
261	http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
262
263	Beware that if you are not using the most recent GnuTLS release then this
264	documentation will be wrong for you! You should find the "info" documentation
265	which came with GnuTLS to review the available options. It's under "The TLS
266	Handshake Protocol".
267
268	$ pinfo --node="Priority Strings" gnutls
269
270	(This author is unable to persuade the "info" command-line tool to jump
271	straight to the required node, but "pinfo" works.)
272
273	To trade off some security for more compatibility, you might set a value of
274	"NORMAL:%COMPAT". See the documentation for more, including lowering security
275	even further for more security, forcing clients to use the server's protocol
276	suite, and ways to force selection of particular algorithms.
277
278
279
280	(8): How do I use tls_require_ciphers?
281	--------------------------------------
282
283	This is the name of two options in Exim. One is a main section option, used
284	by Exim as a server when a client initiates SSL/TLS negotiation, the other is
285	an option on transports which use "driver = smtp", used when Exim initiates
286	SSL/TLS as a client talking to a remote server.
287
288	The option is expanded and so can take advantage of any variables which have
289	been set. This includes the IP address of the remote side, the port upon
290	which a connection was accepted (when a server), and more. Currently it does
291	not have access to $tls_sni, whether as a client or as a server.
292
293	This example, for the main section's option, will let the library defaults be
294	permitted on the MX port, where there's probably no identity verification
295	anyway, and lowers security further by increasing compatibility; but this ups
296	the ante on the submission ports where the administrator might have some
297	influence on the choice of clients used:
298
299	tls_require_ciphers = ${if =={$received_port}{25}\
300	{NORMAL:%COMPAT}\
301	{SECURE128}}
302
303	Note that during Exim start-up, when this option is sanity-checked, there will
304	be no value of $received_port. In the above example, the checked value will
305	thus be "SECURE128". Be careful to ensure that it always expands safely.
306
307
308
309	(9): How do I test STARTTLS support?
310	------------------------------------
311
312	The best command-line client for debugging specifically SSL/TLS which this
313	author has encountered is part of the GnuTLS suite, and is called
314	"gnutls-cli". It's best because it's the only interactive tool which lets the
315	user start TLS handshake exactly when they wish, so can choose to use the
316	STARTTLS command.
317
318	$ gnutls-cli --starttls --crlf --port 587 mail.example.org
319
320	After EHLO, to see the capabilities, enter STARTTLS, wait for the response,
321	then send EOF. Typically that's done by typing Ctrl-D at the start of a line.
322	The "gnutls-cli" tool will take over, set up TLS (or fail) and by the time it
323	returns to await more user input, you're using a secure connection and should
324	type your second EHLO.
325
326	The "--x509cafile" option may be helpful for checking certificates and
327	"--priority" to pass a priority string to the client tool for configuring it.
328
329	The --crlf is for strict protocol correctness, but Exim doesn't really need
330	it, so "gnutls-cli -s -p 587 mail.example.org" is shorter.
331
332
333	For debugging SMTP as a whole, we recommend swaks, "Swiss Army Knife SMTP", by
334	John Jetmore (one of the Exim Maintainers). This has some TLS tuning options;
335	it can be found at:
336
337	http://www.jetmore.org/john/code/swaks/
338
339
340	For OpenSSL, the "openssl s_client" command helps; you can either set up Exim
341	with a listening port which is SSL-on-connect or tell s_client to use
342	STARTTLS.
343
344	For the former, use the "tls_on_connect_ports" option and the
345	"daemon_smtp_ports" option. Most clients for SSL-on-connect use the port
346	which was briefly registered with IANA for this purpose, 465. So you would
347	set something like:
348
349	daemon_smtp_ports = 25 : 465 : 587
350	tls_on_connect_ports = 465
351
352	To use s_client with STARTTLS support, use "-starttls smtp" on the
353	command-line. Beware that older versions of OpenSSL did not wait for the SMTP
354	banner before sending EHLO, which will fall afoul of the protocol
355	synchronisation checks in Exim (used to trip up pump-and-dump spammers); also
356	you will not get control of the session until TLS is established. That said,
357	this tool provides more tuning hooks for adjusting how TLS will be set up than
358	most.
359
360	BEWARE that by default, s_client will take any line starting with a capital
361	letter "R" to be a request to initiate TLS renegotiation with the server and
362	the line will not be sent. This may trip up "RCPT TO:<someone@example.org>"
363	lines in SMTP. SMTP is not case-sensitive, so type "rcpt to" instead.
364	Alternatively, invoke s_client with the "-ign_eof" option to disable this
365	R-filtering and a few other features.
366
367
368	# END OF FAQ