Important: For Domino SMTP with ECDSA keys for STARTTLS inbound
Daniel Nashed – 16 March 2024 08:45:15
The short version of you don't want to know all the technical details:
If you choose a ECDSA key for your web server, make sure you have also a RSA key for SMTP inbound connections
In case you are interested in the technical details, read on ...
-- Daniel
What's the big deal running ECDSA keys/certs for SMTP only
Domino supports modern cryptography with elliptic curve ciphers since version 12.0.
Web clients/applications usually fully support ECDSA today. But not every SMTP server provider runs their infrastructure ECDSA key ready.
Outgoing connection from a Domino server over SMTP with STARTTLS are usually not a problem, because the server side drives what is used during TLS handshake.
But for incoming connections the Domino SMTP server will present supported ciphers based on the TLS Credentials (new name for SSL certificate in certstore.nsf since Domino 12.0).
If you are running a ECDSA certificate, you would limit the supported ciphers to the following two ECDSA ciphers.
This might break some older servers to deliver messages or fall back to unencrypted connections.
With ECDSA Domino by default uses the following two ciphers:
./nshciphers blog.nashcom.de
------------------------------------------
C02C, TLSv1.2, ECDHE-ECDSA-AES256-GCM-SHA384 , TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
C02B, TLSv1.2, ECDHE-ECDSA-AES128-GCM-SHA256 , TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
------------------------------------------
RSA keys recommended for SMTP
The new TLS cache which is part of the new functionality in Domino 12+ supports both key types in parallel.
The TLS cache determines which key to use based on the signature algorithms the client passes to the server.
So you can add TLS credentials with RSA and ECDSA keys in parallel to certstore.nsf
What determines which certificate/key is used?
The signing algorithms requested during the handshake determine the certificate used.
If both or none algorithm are requested, Domino prefers ECDSA for HTTPS and RSA for all other protocols by default (can be flipped per protocol via notes.ini).
Example requesting ECDSA and RSA with STARTTLS
Here is an example passing both types of signature algorithms to a STARTTLS connection. You can see that the RSA key is favored.
You can see that a RSA key/certificate has been picked. Which results in a RSA cipher to be used.
openssl s_client -sigalgs "RSA+SHA256:ECDSA+SHA256" -connect notes.nashcom.de:25 -starttls smtp
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Example requesting only ECDSA with STARTTLS
In contrast when only specifying a ECDSA signing algorithm, the server prefers the ECDSA key/certificate resulting in a ECDSA cipher to be used.
openssl s_client -sigalgs "ECDSA+SHA256" -connect notes.nashcom.de:25 -starttls smtp
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Supported strong RSA cipher list in Domino 14.0 has changed!
Domino 14 moved more ciphers to the weak list. Only four ciphers remain on the recommended list.
./nshciphers blog.nashcom.de -r
------------------------------------------
C030, TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 , TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
009F, TLSv1.2, DHE-RSA-AES256-GCM-SHA384 , TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
C02F, TLSv1.2, ECDHE-RSA-AES128-GCM-SHA256 , TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
009E, TLSv1.2, DHE-RSA-AES128-GCM-SHA256 , TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
------------------------------------------
Enabling weak ciphers
If you pick any other cipher, you have to enable notes.ini USE_WEAK_SSL_CIPHERS=1
Choosing weaker ciphers for SMTP isn't a general problem.
Modern SSL/TLS stacks support secure renegotiation to ensure to pick the highest cipher the SSL client and server have in common (the order is server determined unless configured differently).
So allowing older, potentially weaker ciphers isn't a big deal.
As long you are not in a highly regulated environment and have to ensure a trusted channel, a weaker cipher is much better then a fall back to unencrypted SMTP traffic.
Changing the cipher list for SMTP
For outgoing connections the server document is used to configure the ciphers used.
This is even true if you enable internet sites and the cipher list is hidden.
To look at the cipher list and change it, disable internet sites in the basic tab, change the cipher list and enable internet sites before saving.
Test have shown that also for inbound SMTP connections the cipher configuration in server document is used -- the ciphers in the SMTP internet site are ignored.
But still with internet sites you can distinct between HTTPS and SMTP STARTTLS this way.
Domino 14.0 Dialog
Older dialogs have less deprecated ciphers (see further down)
Without enabling weak ciphers, Domino 12.0.2 FP3 uses the following ciphers.
The basic RSA none DHE ciphers have been marked weak for a longer time, because older ciphers don't support Forward Secrecy (FS).
If you are running on Domino 12.0.2 you can just enable those older ciphers listed in red.
For Domino 14.0 you would need enable notes.ini USE_WEAK_SSL_CIPHERS=1
nshciphers domino.nashcom.de -r
------------------------------------------
C030, TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 , TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
009F, TLSv1.2, DHE-RSA-AES256-GCM-SHA384 , TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
C02F, TLSv1.2, ECDHE-RSA-AES128-GCM-SHA256 , TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
009E, TLSv1.2, DHE-RSA-AES128-GCM-SHA256 , TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
C028, TLSv1.2, ECDHE-RSA-AES256-SHA384 , TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
006B, TLSv1.2, DHE-RSA-AES256-SHA256 , TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
C027, TLSv1.2, ECDHE-RSA-AES128-SHA256 , TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
0067, TLSv1.2, DHE-RSA-AES128-SHA256 , TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
------------------------------------------
Log of week ciphers
You can see here that the right hand ciphers with RSA only have been listed as weak ciphers when starting HTTP in my case:
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_AES_256_GCM_SHA384. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_AES_128_GCM_SHA256. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_AES_256_CBC_SHA256. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_AES_128_CBC_SHA256. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_AES_128_CBC_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_3DES_EDE_CBC_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_RC4_128_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
Conclusion
Running a RSA key/cert for SMTP is an important requirement.
Depending on your use case, you might want to also enable weaker ciphers in Domino 14.0 for SMTP only.
Which isn't really lowering your security in general because of secure renegotiation.
I am personally keeping the stronger cipher list with RSA and ECDSA.
But now you know what you can do if you have older SMTP server which can't connect any more.
---
Two test tools that might help you (but you need to compile them on your own)
https://github.com/nashcom/nsh-tools/tree/main/nshcipher
https://github.com/nashcom/nsh-tools/tree/main/nshmailx
- Comments [0]