+1 vote
by (130 points)

I have two questions about your library Rebex Secure Mail for .NET.

1.) The TlsVersion enumeration has 5 members . Is meant by ANY, "selects automatically the best protocol available"?
Is there any priority which you are using to determine the TlsVersion used when selecting “Any”?

2.) I’m facing the same question regarding the TlsCipherSuite enumeration.
Are the currently secure transmission methods priorized, when the user chooses the enum member “Secure”

Unfortunately the description isn’t very in detail.

With best regards
Jan

1 Answer

0 votes
by (58.9k points)
edited by

1) No, there is no priority. It works like this: The client announces to the server the highest TLS/SSL version it supports (this is specified by client.Settings.SslAllowedVersions). The server either accepts this or asks the client to use a lower version instead. In that case, the client only uses the lower version if the TlsVersion mask actually allows it as well (otherwise, the connection fails).

However, please note that TlsVersion.Any is not the default value in Rebex components. Currently, the SSL-enabled components (FTP, IMAP, POP3 or SMTP) use the following value for client.Settings.SslAllowedVersions by default:

TlsVersion.TLS11 | TlsVersion.TLS10

This means - use TLS 1.1 if possible, otherwise allow TLS 1.0.

Please note that this used to be TlsVersion.TLS10 | TlsVersion.SSL30 until versions 2014 R2. We removed SSL 3.0 from the list because it is no longer considered secure enough and it's susceptible to POODLE attack (it can still be enabled if needed), and we added TLS 1.1 because it's already widely supported. In the next release, we will add TLS 1.2 support as well.

So to sum it up - it you are using the latest version of Rebex components, it's usually the best to use the default for SslAllowedVersions. If you specified TlsVersion.Any, you would also enable SSL 3.0, which is no longer considered secure and should only be used if it's the only version the server supports (which is very rare).

2) Yes, there is a priority here. When you choose TlsCiphetSuite.Secure, the following ciphers will be enabled. They are sorted by priority - the topmost algorithm that happens to be supported both by the client and the server will be used:

  • DHE_RSA_WITH_AES_128_CBC_SHA
  • DHE_RSA_WITH_AES_256_CBC_SHA
  • RSA_WITH_AES_128_CBC_SHA
  • RSA_WITH_AES_256_CBC_SHA
  • DHE_DSS_WITH_AES_128_CBC_SHA
  • DHE_DSS_WITH_AES_256_CBC_SHA
  • DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • RSA_WITH_3DES_EDE_CBC_SHA
  • DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • RSA_WITH_RC4_128_SHA
  • DHE_DSS_WITH_RC4_128_SHA

Please note that this will change in the next release as well - we are adding support for SHA-256 based ciphers.

...