Re: ECDH support for sendmail

To: Fredrik Pettai <pettai%nordu.net@localhost>
Subject: Re: ECDH support for sendmail
From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Date: Fri, 8 Nov 2013 15:42:37 +0000

On Wed, Nov 06, 2013 at 02:48:21PM +0100, Fredrik Pettai wrote:
> > The same thing happens with mail clients, and I can see an improvement of
> > PFS usage with ECDH-enabled sendmail. I have not yet identified what clients
> > are impacted, but there are some that did not pick DHE ciphers, but now
> > negociate ECDHE ciphers.
> 
> Thanks for explaining this. Now your patch makes sense :) I was
> also about to comment about your patch too, because I was thinking
> MTA to MTA communication. (You didn't mention that this was mostly
> for MAU to MTA communication.)

Here are numbers for a mix of a hundred of clients using 
authenticated SMTP over TLS:

             Before  After  Notes
PFS             36%    97%  Almost all DHE capable clients switched to ECDHE
128 bit keys    63%     1%
168 bit keys     1%     2%  This is triple DES. 
256 bit keys    36%    97%  Remaining switched to 3DES at 168 bit length


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost

References:
- Re: ECDH support for sendmail
  - From: Emmanuel Dreyfus
- Re: ECDH support for sendmail
  - From: Fredrik Pettai

Prev by Date: Re: Firefox 24 doesn't restore session
Next by Date: Setting TERMCAP location
Previous by Thread: IETF tech plenary and mass surveillance [was: Re: ECDH support for sendmail]
Next by Thread: Re: ECDH support for sendmail
Indexes:

Home | Main Index | Thread Index | Old Index