Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: unixnut on October 16, 2013, 11:48:06 AM
-
Hi,
First post for a looooong time :)
I ran ssllabs.com against one of my SME8beta1 machines and it complained about 3 insecure ciphers.
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 168
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE 168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE 256
Two questions really:
1. Would it cause major problems to remove support for the three anon ciphers ?
2. If not, how would that be achieved please ?
Thanks
-
unixnut
This information & query is best posted to Bugzilla under Security category or similar.
A link to bugs is at top of Forums.
The devs will assess if indeed there is a security issue & advise accordingly.
It's possible that ssllabs.com is finding false positives.
-
1. Will it cause problems to make changes?
I don't know.
2. How would you change the ciphersuite setting?
On my SME 8 server, it looks like I can change this line in /etc/httpd/conf/httpd.conf:
SSLCipherSuite HIGH:!SSLv2
...and this line in /var/service/qpsmtpd/config/tls_ciphers:
HIGH:!SSLv2
By setting this db variable:
config setprop modSSL CipherSuite 'valid-ciphersuite-string-here'
(note that you can override the 'modSSL' CipherSuite setting for qpsmtpd using config setprop qpsmtpd tlsCipher 'valid-ciphersuite-string-here')
On my sme 8.0 system I get the values below (my CipherSuite may already be customized):
# config show modSSL
modSSL=service
CipherSuite=HIGH:!SSLv2
TCPPort=443
access=public
status=enabled
More on setting the apache mod_ssl SSLCipherSuite directive can be found here:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
-
Apologies janet if I posted in the wrong place.
I wanted to see whether anyone else had found the same before considering it a general issue.
mmcarn my settings are the same as yours. The check is also repeatable by anyone with a public facing SME server.
Googling for the anon cipher finds a number of hits and this one shows it as not secure due to no key exchange between client and server.
http://www.techstacks.com/howto/j2se5_ssl_cipher_strength.html
Looks to me that the ssllabs.com failure is not a false positive, so I'd like to remove that cipher option.
-
Please raise a bug, set the security flag and we can decide the best way to proceed.
Also refer to Bug 7026 which last changed these settings
= Suggested release notes:
Make CipherSuite secure by default and tls ciphers defaults to disallow SSLv2
there are two DB properties:
modSSL CipherSuite affects BOTH SMTPS & HTTPS, set by default.
qpsmtpd tlsCipher only affects SMTPS, does not exist as a default
-
Submitted.
Bug 7916
Thanks
-
Bug 7916 (http://bugs.contribs.org/show_bug.cgi?id=7916) updated.
-
Perfect !
Repeated the same on my system
Thanks for looking into it :P
-
The latest from the bug is this as the solution:
config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH'
signal-event remoteaccess-update
It will take a little longer to release.
Thanks for raising the issue, and creating the bug.