FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 04-27-2011, 07:38 PM
James Cloos
 
Default Camellia?
Is there any specific reason why smtp.gentoo and pigeon.gentoo use
camellia for their outbound smtp starttls connections?

Not complaining or anything. Just curious.

-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
 
Old 04-27-2011, 10:14 PM
Eray Aslan
 
Default Camellia?
On Wed, Apr 27, 2011 at 03:38:16PM -0400, James Cloos wrote:
> Is there any specific reason why smtp.gentoo and pigeon.gentoo use
> camellia for their outbound smtp starttls connections?

Probably it is the strongest cipher supported. One can do

$ openssl ciphers -v 'ALL:@STRENGTH'

on those machines and see what comes up top. An upgrade might be in
order.
--
Eray Aslan
Developer, Gentoo Linux eras <at> gentoo.org
 
Old 04-28-2011, 01:14 PM
Dane Smith
 
Default Camellia?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2011 06:14 PM, Eray Aslan wrote:
> openssl ciphers -v 'ALL:@STRENGTH'

I find it somewhat hard to believe that they are using a version of
OpenSSL that doesn't have AES-256. It's been around since 0.9.7.

Having said that, I don't know of any major weakness with the cipher.
The only thing I don't personally really love about it is the lack of
analysis. Something like AES has been the majority of the fields notice
and gets more attention, so it is likely better analyzed and understood.

Regards,
- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNuWgfAAoJEEsurZwMLhUx1c0P/RVO1g0Ph9zl6YmlLHwJVH/h
RrAN/OdSQRoefGrSEuzKGQJtegmvNakzc4+YOxPsM8nXg2bBBokxkm2 smr2H9YQ1
07Gf6kgLw7ZmPzy5sVPDaqd3Y6P9PQa9rvwwejX4XvQZAtFRC/jljPk1qLUutxte
vCdlHQUl2cpV01qzFDtm+YRThPqTSA91Ecrq3yaqZn9mtPmcKj S5uz4eUPSJrepm
xDnXUeCstgEADcjgVA2ofshpdrBLKNcePQQ/FDOuGXkGeQM70CO+U4Yekhe7fvF6
tEK7QomLxPOvTz2OZsSQErmXhysfHHBEM/uo1Mxnk4zkGZzBpexGsEhkPESsTkVR
k8wiwQvLacr+NslDNRAa1c08HU+j6JcvjTbcq8shMD8PvsmS+I 3TbUEZsVOBGe6E
kMxG+zwWD3LmXSZCvrUtQeBN+aLpRpa5cibGIgYZtoYe9miT2L W3D1UmvzYNvlZA
0QW0zEOrxrBgHdxBBOgZLN+hCZUaMoAfi0m7AMqFczmyulXsER/ROFsCZmLhzKPK
yK9Y3kAAU7Y0aOjVhwqU4JKuyPvho0SntpRZGSCIXPMncySb16 3CkeecJ1to8+1O
IN5rY4O9jFMWDHNFz7NMSD6Hnk4zoem6b/+v6qYoT6uHx3sYT/C7l3E0OJ2B7SI/
tXeYUYa/mR49AszHpaes
=lpeo
-----END PGP SIGNATURE-----
 
Old 04-28-2011, 01:14 PM
Dane Smith
 
Default Camellia?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2011 06:14 PM, Eray Aslan wrote:
> openssl ciphers -v 'ALL:@STRENGTH'

I find it somewhat hard to believe that they are using a version of
OpenSSL that doesn't have AES-256. It's been around since 0.9.7.

Having said that, I don't know of any major weakness with the cipher.
The only thing I don't personally really love about it is the lack of
analysis. Something like AES has been the majority of the fields notice
and gets more attention, so it is likely better analyzed and understood.

Regards,
- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNuWgfAAoJEEsurZwMLhUx1c0P/RVO1g0Ph9zl6YmlLHwJVH/h
RrAN/OdSQRoefGrSEuzKGQJtegmvNakzc4+YOxPsM8nXg2bBBokxkm2 smr2H9YQ1
07Gf6kgLw7ZmPzy5sVPDaqd3Y6P9PQa9rvwwejX4XvQZAtFRC/jljPk1qLUutxte
vCdlHQUl2cpV01qzFDtm+YRThPqTSA91Ecrq3yaqZn9mtPmcKj S5uz4eUPSJrepm
xDnXUeCstgEADcjgVA2ofshpdrBLKNcePQQ/FDOuGXkGeQM70CO+U4Yekhe7fvF6
tEK7QomLxPOvTz2OZsSQErmXhysfHHBEM/uo1Mxnk4zkGZzBpexGsEhkPESsTkVR
k8wiwQvLacr+NslDNRAa1c08HU+j6JcvjTbcq8shMD8PvsmS+I 3TbUEZsVOBGe6E
kMxG+zwWD3LmXSZCvrUtQeBN+aLpRpa5cibGIgYZtoYe9miT2L W3D1UmvzYNvlZA
0QW0zEOrxrBgHdxBBOgZLN+hCZUaMoAfi0m7AMqFczmyulXsER/ROFsCZmLhzKPK
yK9Y3kAAU7Y0aOjVhwqU4JKuyPvho0SntpRZGSCIXPMncySb16 3CkeecJ1to8+1O
IN5rY4O9jFMWDHNFz7NMSD6Hnk4zoem6b/+v6qYoT6uHx3sYT/C7l3E0OJ2B7SI/
tXeYUYa/mR49AszHpaes
=lpeo
-----END PGP SIGNATURE-----
 
Old 04-28-2011, 02:35 PM
Dane Smith
 
Default Camellia?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/11 14:30, James Cloos wrote:
>>>>>> "PC" == Panagiotis Christopoulos <pchrist@gentoo.org> writes:
>
> PC> Please, can you continue this somewhere more privately? I wouldn't
> PC> like it if I were a sysadmin and someone was posting information
> PC> about versions of software of production machines publicly. I hope
> PC> you understand.
>
> This isn't private information. Everyone who receives mail from these
> lists can see what crypto gentoo's outgoing servers use when connecting
> to one's MXs.
>
> -JimC

The cipher in use is public. The version of OpenSSL in use is not. He's
not referring to the cipher talk, but to the version information as far
as I can tell.

- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNuXs5AAoJEEsurZwMLhUxS1UP/2lg96cjD6pK4cnuwEbF/chE
EUQsLcOxycUkOAE5o+kYruksHY07LWmcY7ULG470xnxY/Szs+kT/KbwXXXEKcu+n
LwuYM8nxmGnjAv1CIMsHIgvowZ3USJ312BTbvBPRTdADNlUtcS BlHCbgs2otVI62
wiBUxvZqm+IsDaXWO83lAcN06EOd2TQVLBXMucNATwWxOuPGuR tBC1oU+xzAdxJD
5y2JGw3P2DuU6TjcDV1Zj6W44QrKTbk6wjK8HCpElTEwr/RpwdPEGlQeH8dv3BZz
nI7IatDBANFRawMDwsbnvgNRqjNO4AalFh/8fy4Up9PWcbVCPSRCSPMAT4O2zj4y
M5PmbVshfziLVlzQSqqU7SjgBP99ue4Mbzb3M4zNqKYzfYj+Vu S8KEEQVz6qk4HO
IET106tfh7ShMaAMUi6C8Bb0KQhIMYYCYAUH34kaYc6teX9N8/+s/ceumrTUZoa5
BrdNu9+tbMYlY5eZxIsblqNuwp+L53pmA1VePQUCQStcELVPQh flWG27kb8SajlG
tCj0686VjgPlso7PS3hveMYrYu2ifSRmvfdAUB1F9+D/LrEZie/UViY43MhJ/Ios
bXlwIP7kcrx6axm1x32ao0iaRays9+EiVh6sgmbnIfB0uP5AWZ W3qzV4DFbRNVVB
MIURStrba1iNISDVXNad
=joaK
-----END PGP SIGNATURE-----
 
Old 04-28-2011, 03:35 PM
Eray Aslan
 
Default Camellia?
On Thu, Apr 28, 2011 at 09:14:07AM -0400, Dane Smith wrote:
> I find it somewhat hard to believe that they are using a version of
> OpenSSL that doesn't have AES-256. It's been around since 0.9.7.

It does have AES256 just lower in the list:

eras@woodpecker ~ $ openssl ciphers -v ALL:@STRENGTH | head -n5
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256)
Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256)
Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256)
Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256)
Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
eras@woodpecker ~ $ openssl version
OpenSSL 0.9.8o 01 Jun 2010

Presumably smtp.g.o and pigeon.g.o has the same setup.
ssl_create_cipher_list() makes the above list if you want to check its
history.

--
Eray Aslan
Developer, Gentoo Linux eras <at> gentoo.org
 
Old 04-28-2011, 03:59 PM
Panagiotis Christopoulos
 
Default Camellia?
On 18:35 Thu 28 Apr , Eray Aslan wrote:
> ....
> eras@woodpecker ~ $ openssl version
> OpenSSL 0.9.8o 01 Jun 2010
>
> Presumably smtp.g.o and pigeon.g.o has the same setup.
> ssl_create_cipher_list() makes the above list if you want to check its
> history.
>
Please, can you continue this somewhere more privately? I wouldn't like it if
I were a sysadmin and someone was posting information about versions of
software of production machines publicly. I hope you understand.

--
Panagiotis Christopoulos ( pchrist )
( Gentoo Lisp Project )
 
Old 04-28-2011, 06:30 PM
James Cloos
 
Default Camellia?
>>>>> "PC" == Panagiotis Christopoulos <pchrist@gentoo.org> writes:

PC> Please, can you continue this somewhere more privately? I wouldn't
PC> like it if I were a sysadmin and someone was posting information
PC> about versions of software of production machines publicly. I hope
PC> you understand.

This isn't private information. Everyone who receives mail from these
lists can see what crypto gentoo's outgoing servers use when connecting
to one's MXs.

-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
 
Old 04-28-2011, 07:06 PM
Eray Aslan
 
Default Camellia?
On Thu, Apr 28, 2011 at 06:59:05PM +0300, Panagiotis Christopoulos wrote:
> Please, can you continue this somewhere more privately? I wouldn't like it if
> I were a sysadmin and someone was posting information about versions of
> software of production machines publicly. I hope you understand.

Security through obscurity does not work. It especially will not work for the
infrastructure of a Linux distribution.

--
Eray Aslan
Developer, Gentoo Linux eras <at> gentoo.org
 
Old 04-28-2011, 08:03 PM
Mark Loeser
 
Default Camellia?
Eray Aslan <eras@gentoo.org> said:
> On Thu, Apr 28, 2011 at 06:59:05PM +0300, Panagiotis Christopoulos wrote:
> > Please, can you continue this somewhere more privately? I wouldn't like it if
> > I were a sysadmin and someone was posting information about versions of
> > software of production machines publicly. I hope you understand.
>
> Security through obscurity does not work. It especially will not work for the
> infrastructure of a Linux distribution.

What does any of this have to do with development of Gentoo? Go send an
email to infrastructure if you want to talk to those that administer
those services.

--
Mark Loeser
email - halcy0n AT gentoo DOT org
email - mark AT halcy0n DOT com
web - http://www.halcy0n.com
 

Thread Tools




All times are GMT. The time now is 01:09 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -