Kurt Fitzner's questions

I am interested in configuring Dovecot's TLS so as to retain forward secrecy, but eliminate all of NIST's elliptic curves.

Besides being subject to side channel attacks, in some quarters there is a general distrust of NIST's curves and other cryptographic primitives after the Dual EC DRBG debacle.

From what I can tell, the following will prevent the use of NIST's curves (and some other dangerous primitives) in Dovecot, but this is accomplished by simply disabling EECDH entirely.

ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH

This should still retain forward secrecy through the use of EDH, but this doesn't leave much in the way of allowable algorithms:

$ openssl ciphers -V 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH'
  0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
  0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
  0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
  0x00,0x3D - AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
  0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
  0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
  0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
  0x00,0x3C - AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

Is there a better way to do this? Is there a way to disable only the suspect NIST curves and still retain EECDH but with side-channel safe curves like X25519?

In version 1 of the SSH protocol, it was possible to set the ephemeral session key size with the ServerKeyBits setting in sshd_config. Is there a way to do this for version 2 of the ssh protocol?

In the SSH protocol there are three encryption keys used:

1. The server key
2. The (intermediary) ephemeral session key
3. The final symmetric cipher key

The intermediary ephemeral session key is an asymmetric cipher key created only for that session. It is created so that when the final symmetric key is passed, it doesn't have to be encrypted with the server key. This is so that if the server key is ever compromised, you can't use it to recover the end symmetric cipher key from previously "recorded" sessions. This is forward secrecy.

The size of the server key is set by the user when the user creates it. The size of the end symmetric cipher is preset by RFC and is inherent in the symmetric cipher that is chosen. The intermediary key, the ephemeral session key, I don't know how to set the size of that key. In version 1 of she SSH protocol you could set it with the ServerKeyBits setting. What is the way to set this in version 2 of the protocol?

It appears that the client specifies the minimum, preferred, and maximum modulus size when diffie-hellman-group-exchange-sha256 is used as the key exchange method. Does this mean removing smaller bit sizes from the server moduli file (as recommended here) will actually prevent small ephemeral key sizes from being used if the client asks for it, or will the server simply used one of its built-in fixed moduli if a broken client only wants a really small one?