[gentoo-dev] Camellia?

[gentoo-dev] Camellia?

[James Cloos]

Is there any specific reason why smtp.gentoo and pigeon.gentoo use
camellia for their outbound smtp starttls connections?

Not complaining or anything.  Just curious.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Re: [gentoo-dev] Camellia?

[Eray Aslan]

On Wed, Apr 27, 2011 at 03:38:16PM -0400, James Cloos wrote:
> Is there any specific reason why smtp.gentoo and pigeon.gentoo use
> camellia for their outbound smtp starttls connections?

Probably it is the strongest cipher supported.  One can do

$ openssl ciphers -v 'ALL:@STRENGTH'

on those machines and see what comes up top.  An upgrade might be in
order.
-- 
Eray Aslan
Developer, Gentoo Linux       eras <at> gentoo.org

Re: [gentoo-dev] Camellia?

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2011 06:14 PM, Eray Aslan wrote:
> openssl ciphers -v 'ALL:@STRENGTH'

I find it somewhat hard to believe that they are using a version of
OpenSSL that doesn't have AES-256. It's been around since 0.9.7.

Having said that, I don't know of any major weakness with the cipher.
The only thing I don't personally really love about it is the lack of
analysis. Something like AES has been the majority of the fields notice
and gets more attention, so it is likely better analyzed and understood.

Regards,
- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNuWgfAAoJEEsurZwMLhUx1c0P/RVO1g0Ph9zl6YmlLHwJVH/h
RrAN/OdSQRoefGrSEuzKGQJtegmvNakzc4+YOxPsM8nXg2bBBokxkm2smr2H9YQ1
07Gf6kgLw7ZmPzy5sVPDaqd3Y6P9PQa9rvwwejX4XvQZAtFRC/jljPk1qLUutxte
vCdlHQUl2cpV01qzFDtm+YRThPqTSA91Ecrq3yaqZn9mtPmcKjS5uz4eUPSJrepm
xDnXUeCstgEADcjgVA2ofshpdrBLKNcePQQ/FDOuGXkGeQM70CO+U4Yekhe7fvF6
tEK7QomLxPOvTz2OZsSQErmXhysfHHBEM/uo1Mxnk4zkGZzBpexGsEhkPESsTkVR
k8wiwQvLacr+NslDNRAa1c08HU+j6JcvjTbcq8shMD8PvsmS+I3TbUEZsVOBGe6E
kMxG+zwWD3LmXSZCvrUtQeBN+aLpRpa5cibGIgYZtoYe9miT2LW3D1UmvzYNvlZA
0QW0zEOrxrBgHdxBBOgZLN+hCZUaMoAfi0m7AMqFczmyulXsER/ROFsCZmLhzKPK
yK9Y3kAAU7Y0aOjVhwqU4JKuyPvho0SntpRZGSCIXPMncySb163CkeecJ1to8+1O
IN5rY4O9jFMWDHNFz7NMSD6Hnk4zoem6b/+v6qYoT6uHx3sYT/C7l3E0OJ2B7SI/
tXeYUYa/mR49AszHpaes
=lpeo
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Camellia?

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/11 14:30, James Cloos wrote:
>>>>>> "PC" == Panagiotis Christopoulos <pchrist@gentoo.org> writes:
> 
> PC> Please, can you continue this somewhere more privately? I wouldn't
> PC> like it if I were a sysadmin and someone was posting information
> PC> about versions of software of production machines publicly. I hope
> PC> you understand.
> 
> This isn't private information.  Everyone who receives mail from these
> lists can see what crypto gentoo's outgoing servers use when connecting
> to one's MXs.
> 
> -JimC

The cipher in use is public. The version of OpenSSL in use is not. He's
not referring to the cipher talk, but to the version information as far
as I can tell.

- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNuXs5AAoJEEsurZwMLhUxS1UP/2lg96cjD6pK4cnuwEbF/chE
EUQsLcOxycUkOAE5o+kYruksHY07LWmcY7ULG470xnxY/Szs+kT/KbwXXXEKcu+n
LwuYM8nxmGnjAv1CIMsHIgvowZ3USJ312BTbvBPRTdADNlUtcSBlHCbgs2otVI62
wiBUxvZqm+IsDaXWO83lAcN06EOd2TQVLBXMucNATwWxOuPGuRtBC1oU+xzAdxJD
5y2JGw3P2DuU6TjcDV1Zj6W44QrKTbk6wjK8HCpElTEwr/RpwdPEGlQeH8dv3BZz
nI7IatDBANFRawMDwsbnvgNRqjNO4AalFh/8fy4Up9PWcbVCPSRCSPMAT4O2zj4y
M5PmbVshfziLVlzQSqqU7SjgBP99ue4Mbzb3M4zNqKYzfYj+VuS8KEEQVz6qk4HO
IET106tfh7ShMaAMUi6C8Bb0KQhIMYYCYAUH34kaYc6teX9N8/+s/ceumrTUZoa5
BrdNu9+tbMYlY5eZxIsblqNuwp+L53pmA1VePQUCQStcELVPQhflWG27kb8SajlG
tCj0686VjgPlso7PS3hveMYrYu2ifSRmvfdAUB1F9+D/LrEZie/UViY43MhJ/Ios
bXlwIP7kcrx6axm1x32ao0iaRays9+EiVh6sgmbnIfB0uP5AWZW3qzV4DFbRNVVB
MIURStrba1iNISDVXNad
=joaK
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Camellia?

[Eray Aslan]

On Thu, Apr 28, 2011 at 09:14:07AM -0400, Dane Smith wrote:
> I find it somewhat hard to believe that they are using a version of
> OpenSSL that doesn't have AES-256. It's been around since 0.9.7.

It does have AES256 just lower in the list:

eras@woodpecker ~ $ openssl ciphers -v ALL:@STRENGTH | head -n5
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256)
Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256)
Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256)
Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256)
Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
eras@woodpecker ~ $ openssl version
OpenSSL 0.9.8o 01 Jun 2010

Presumably smtp.g.o and pigeon.g.o has the same setup.
ssl_create_cipher_list() makes the above list if you want to check its
history.

-- 
Eray Aslan
Developer, Gentoo Linux       eras <at> gentoo.org

Re: [gentoo-dev] Camellia?

[Panagiotis Christopoulos]

[-- Attachment #1: Type: text/plain, Size: 567 bytes --]

On 18:35 Thu 28 Apr     , Eray Aslan wrote:
>  ....
> eras@woodpecker ~ $ openssl version
> OpenSSL 0.9.8o 01 Jun 2010
> 
> Presumably smtp.g.o and pigeon.g.o has the same setup.
> ssl_create_cipher_list() makes the above list if you want to check its
> history.
> 
Please, can you continue this somewhere more privately? I wouldn't like it if
I were a sysadmin and someone was posting information about versions of
software of production machines publicly. I hope you understand.

-- 
Panagiotis Christopoulos ( pchrist )
    ( Gentoo Lisp Project )

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] Camellia?

[James Cloos]

>>>>> "PC" == Panagiotis Christopoulos <pchrist@gentoo.org> writes:

PC> Please, can you continue this somewhere more privately? I wouldn't
PC> like it if I were a sysadmin and someone was posting information
PC> about versions of software of production machines publicly. I hope
PC> you understand.

This isn't private information.  Everyone who receives mail from these
lists can see what crypto gentoo's outgoing servers use when connecting
to one's MXs.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Re: [gentoo-dev] Camellia?

[Eray Aslan]

On Thu, Apr 28, 2011 at 06:59:05PM +0300, Panagiotis Christopoulos wrote:
> Please, can you continue this somewhere more privately? I wouldn't like it if
> I were a sysadmin and someone was posting information about versions of
> software of production machines publicly. I hope you understand.

Security through obscurity does not work.  It especially will not work for the
infrastructure of a Linux distribution.

-- 
Eray Aslan
Developer, Gentoo Linux       eras <at> gentoo.org

Re: [gentoo-dev] Camellia?

[Mark Loeser]

[-- Attachment #1: Type: text/plain, Size: 785 bytes --]

Eray Aslan <eras@gentoo.org> said:
> On Thu, Apr 28, 2011 at 06:59:05PM +0300, Panagiotis Christopoulos wrote:
> > Please, can you continue this somewhere more privately? I wouldn't like it if
> > I were a sysadmin and someone was posting information about versions of
> > software of production machines publicly. I hope you understand.
> 
> Security through obscurity does not work.  It especially will not work for the
> infrastructure of a Linux distribution.

What does any of this have to do with development of Gentoo?  Go send an
email to infrastructure if you want to talk to those that administer
those services.

-- 
Mark Loeser
email         -   halcy0n AT gentoo DOT org
email         -   mark AT halcy0n DOT com
web           -   http://www.halcy0n.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]