pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ECDH support for sendmail

On Nov 6, 2013, at 06:14 , Emmanuel Dreyfus <> wrote:

> Greg Troxel <> wrote:
>> I also wonder if this is enabled in other MTAs, and/or openssl itself.
>> In other words, is this making sendmail catch up with existing practice,
>> or making sendmail be avant garde?
> Not sure about other MTA capabilities, but the thing is still desirable.
> Here is the background: there is a nice cryptographic feature called Perfect
> Forward Secrecy, which means that if you store encrypted trafic, a later
> compromission of server private key will not compromise the stored
> communications.
> There are two family of ciphers that will give you that: DHE and ECDHE
> (openssl ciphers give you the whole list). Most TLS-enabled servers enable
> DHE ciphers nowadays, fewer have ECDHE. But there are clients that will use
> ECDHE but not DHE with RSA,  which means that you need both DHE and ECDHE if
> you want to enlarge PFS usage
> This ca be easily observed for web servers with Qualys SSL server test:
> Give it a try with apache 2.2.x, you miss many browsers PFS capability. Add
> the ECC support patch that was backported from 2.4 and you get PFS for all
> modern browsers. Patch is there:
> The same thing happens with mail clients, and I can see an improvement of
> PFS usage with ECDH-enabled sendmail. I have not yet identified what clients
> are impacted, but there are some that did not pick DHE ciphers, but now
> negociate ECDHE ciphers.

Thanks for explaining this. Now your patch makes sense :) I was also about to 
comment about your patch too, because I was thinking MTA to MTA communication. 
(You didn't mention that this was mostly for MAU to MTA communication.)

I also want to echo what jnemeth@ wrote about EC and NSA...


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Home | Main Index | Thread Index | Old Index