Nethserver and TLS/SSLv3


(Jeff Folk) #1

I was following a discussion on another server platform I use, and an issue about TLS and accepted ciphers and protocols… When I decided to investigate what protocols and ciphers my Nethserver advertises:

[root@neth ~]# nmap --script ssl-enum-ciphers -p 465 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2015-06-17 07:44 CDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers: 
|   SSLv3
|     Ciphers (30)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA
|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_DH_anon_WITH_AES_128_CBC_SHA
|       TLS_DH_anon_WITH_AES_256_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DH_anon_WITH_RC4_128_MD5
|       TLS_DH_anon_WITH_SEED_CBC_SHA
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA
|       TLS_ECDH_anon_WITH_RC4_128_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_RSA_WITH_IDEA_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.0
|     Ciphers (30)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA
|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_DH_anon_WITH_AES_128_CBC_SHA
|       TLS_DH_anon_WITH_AES_256_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DH_anon_WITH_RC4_128_MD5
|       TLS_DH_anon_WITH_SEED_CBC_SHA
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA
|       TLS_ECDH_anon_WITH_RC4_128_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_RSA_WITH_IDEA_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.1
|     Ciphers (30)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA
|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_DH_anon_WITH_AES_128_CBC_SHA
|       TLS_DH_anon_WITH_AES_256_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DH_anon_WITH_RC4_128_MD5
|       TLS_DH_anon_WITH_SEED_CBC_SHA
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA
|       TLS_ECDH_anon_WITH_RC4_128_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_RSA_WITH_IDEA_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.2
|     Ciphers (46)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA
|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_DH_anon_WITH_AES_128_CBC_SHA
|       TLS_DH_anon_WITH_AES_128_CBC_SHA256
|       TLS_DH_anon_WITH_AES_128_GCM_SHA256
|       TLS_DH_anon_WITH_AES_256_CBC_SHA
|       TLS_DH_anon_WITH_AES_256_CBC_SHA256
|       TLS_DH_anon_WITH_AES_256_GCM_SHA384
|       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DH_anon_WITH_RC4_128_MD5
|       TLS_DH_anon_WITH_SEED_CBC_SHA
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA
|       TLS_ECDH_anon_WITH_RC4_128_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_AES_256_GCM_SHA384
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_RSA_WITH_IDEA_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

When I look at the Apache config, it disables SSLv3. Shouldn’t our mail server also disable SSLv3? I understand these are probably provided upstream, but just wondering…

Cheers!
Jeff


Template /etc/httpd/conf.d/ssl.conf
(Davide Principi) #2

I guess the SMTP client here is considered the responsible of the communication security, thus is expected to pick a good protocol/cipher.

Tightening the server settings could not be compatible with legacy clients.


(Filippo Carletti) #3

I’d try to enforce security.
Assuming that legacy clients use the same protocols for imaps and smpts, I compared dovecot and postfix. The former has less options and none of them is “broken”.

I found some hints here:
http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/


(Jeff Folk) #4

Yes, I wasn’t speaking to the client side, but rather to SMTP. According to STARTTLS.INFO, NethServer also accepts SSLv2 and anonymous Diffie-Hellman. Scoring a rather lax grade (E - 34.5%):

Certificate (I’m not worried about this, actually, I can add one later)
The certificate is self-signed.
There are one or more fatal problems which causes the certificate not to be trusted.
There are validity issues for the certificate. Certificates are seldom verified for SMTP servers, so this doesn’t mean that STARTTLS won’t be used.

Generally speaking it’s a bad practice not to have a valid certificate, and an even worse practice not to verify them. Any attempted encrypted communication is left all but wide open to Man-in-the-Middle attacks.

Protocol
Supports SSLV2. More info.
Supports SSLV3.
Supports TLSV1.
Supports TLSV1.1.
Supports TLSV1.2.
Key exchange
Anonymous Diffie-Hellman is accepted. This is suspectible to Man-in-the-Middle attacks.
Key size is 1024 bits; that’s somewhat insecure.
Cipher
Weakest accepted cipher: 0.
Strongest accepted cipher: 256.