From d9594575683785c7125c5fd1a15c8346a6f8b82b Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 15 Apr 2018 17:45:48 -0400 Subject: [PATCH] Enable weak/old stuff in OpenSSL Configure OpenSSL with: enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers Include explanation as to why. --- doc/doc-txt/openssl.txt | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/doc/doc-txt/openssl.txt b/doc/doc-txt/openssl.txt index 7bcd47907..3efa8337f 100644 --- a/doc/doc-txt/openssl.txt +++ b/doc/doc-txt/openssl.txt @@ -28,6 +28,27 @@ Fortunately, this is easy. So this only applies if you build Exim yourself. +Insecure versions and ciphers +----------------------------- + +Email delivery to MX hosts is usually done with automatic fallback to +plaintext if TLS could not be negotiated. There are good historical reasons +for this. You can and should avoid it by using DNSSEC for signing your DNS +and publishing TLSA records, to enable "DANE" security. This signals to +senders that they should be able to verify your certificates, and that they +should not fallback to cleartext. + +In the absence of DANE, trying to increase the security of TLS by removing +support for older generations of ciphers and protocols will actually _lower_ +the security, because the clients fallback to plaintext and retry anyway. As +a result, you should give serious thought to enabling older features which are +no longer default in OpenSSL. + +The examples below explicitly enable ssl3 and weak ciphers. + +We don't like this, but reality doesn't care and is messy. + + Build ----- @@ -45,7 +66,8 @@ will try to use the new OpenSSL, then stick to something like ./config --prefix=/opt/openssl --openssldir=/etc/ssl \ -L/opt/openssl/lib -Wl,-R/opt/openssl/lib \ - enable-ssl-trace shared + enable-ssl-trace shared \ + enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers make make install -- 2.25.1