Perfect Forward Secrecy |
Post Reply |
Author | |
ois
Newbie Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Posted: 17 September 2014 at 9:32am |
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
ois,
Forward Secrecy (the ECDHE ciphers) are currently not enabled in SpamFilter. We have recently been asked to add support for it in SpamFilter, and since the OpenSSL libraries used by the new SpamFilter 4.6 do have support for them this will probably be implemented soon.
|
|
ois
Newbie Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
|
Tnx, there is hot pressure from the german government. We've to fix this ASAP.
Rgds, Fritz
|
|
ois
Newbie Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
|
Hi, what's about this issue?
Regards Fritz |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
We had placed it on hold as we recently released a new version of SpamFilter that features a separate GUI to control SpamFilter's service under Windows 2008/2012, in in these versions of Windows managing the SpamFilter service via the Interactive Services Detection screen was very inconvenient.
We'll resume to attempt support for this shortly.
|
|
ois
Newbie Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
|
Hi Roberto,
we have to fix the PFS-issue until the 10th of may. Otherwise we'll get a lot of trouble with the german goverment. Is it possible to force the PFS fix? Regards, Fritz OIS |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
ois,
In our internal alpha version we added the ability to have user-configurable cipher lists, which will allow to obtain much higher security as in this sample report below. We're still working to add FPS support, but are not there yet - there are good chances we'll be able to meet your deadline, but I cannot say for certain at this point. c:~ c$ ~/testssl.sh --starttls smtp 10.211.55.7:25 ######################################################### testssl.sh v2.2 (https://testssl.sh) ($Id: testssl.sh,v 1.151 2014/12/08 09:32:50 dirkw Exp $) This program is free software. Redistribution + modification under GPLv2 is permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Note: you can only check the server with what is available (ciphers/protocols) locally on your machine! ######################################################### Using "OpenSSL 1.0.2a 19 Mar 2015" from cmctrf2.local:/usr/local/bin/openssl (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc") Testing now (2015-04-29 16:00) ---> 10.211.55.7:25 (10.211.55.7) <--- rDNS (10.211.55.7): - Couldn't determine what's running on port 25, assuming not HTTP --> Testing Protocols SSLv2 not offered (OK) SSLv3 not offered (OK) TLSv1 offered (OK) TLSv1.1 offered (OK) TLSv1.2 offered (OK) --> Testing standard cipher lists Null Cipher not offered (OK) Anonymous NULL Cipher not offered (OK) Anonymous DH Cipher not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption Local problem: No 56 Bit encryption configured in /usr/local/bin/openssl Export Cipher (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Cipher not offered (OK) Triple DES Cipher offered Medium grade encryption not offered High grade encryption offered (OK) --> Testing server defaults (Server Hello) Negotiated protocol TLSv1.2 Negotiated cipher AES256-GCM-SHA384 Server key size 2048 bit TLS server extensions renegotiation info, session ticket, heartbeat Session Tickets RFC 5077 300 seconds OCSP stapling not offered --> Testing specific vulnerabilities Renegotiation (CVE 2009-3555) Patched Server detected (0,1), probably ok CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) --> Testing all locally available ciphers against the server Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits ------------------------------------------------------------------------- x9d AES256-GCM-SHA384 RSA AESGCM 256 x3d AES256-SHA256 RSA AES 256 x35 AES256-SHA RSA AES 256 x84 CAMELLIA256-SHA RSA Camellia 256 x9c AES128-GCM-SHA256 RSA AESGCM 128 x3c AES128-SHA256 RSA AES 128 x2f AES128-SHA RSA AES 128 x41 CAMELLIA128-SHA RSA Camellia 128 x0a DES-CBC3-SHA RSA 3DES 168 --> Checking RC4 Ciphers no RC4 ciphers detected (OK) --> Testing (Perfect) Forward Secrecy (P)FS) -- omitting 3DES, RC4 and Null Encryption here No PFS available Done now (2015-04-29 16:00) ---> 10.211.55.7:25 (10.211.55.7) <--- |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
ois,
We have good news on the FPS ciphers. We're testing an internal alpha version now that is able to support them. We will likely release it publicly within the next 3-4 days.
|
|
ois
Newbie Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
|
nice!
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
ois,
FYI we have pre-released SpamFilter v4.7.0.136 in the registered user area - this build supports PFS as requested.
|
|
ois
Newbie Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
|
Hi Roberto, it works
I hope the goverment is also satisfied. We will see. Tnx for your kindly support and help us, to hold this deadline. Regards, Fritz OIS |
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
Can you provide some more information on how to use the SSLCiperList, looks like the following was added to the INI in a recent version update.
SSLCipherList=AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH Where do we find out the syntax for this and what we can add? Is it open ssl or something? Like others have mentioned in this board I also have problems if I disable anything :-( If I disable TLS 1, someone is going to complain. The issue is probably the sending server, but I look like the badguy so I leave it enabled. The recent version disabled SSL3 due to the POODLE vulnerability. Guess what happens, I start getting email from people that they can't get email from someone. It is happening on a large enough scale that I must enable SSL3 again. From my POOLE reading, it looks like if you disable SSLv3+CBC you might not be vulnerable? I would like to try and disable the CBC cipher but no idea how to go about it. |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
I found the SSLCipherList is openSSL based.
Some instructions here for anyone who is interested: https://www.openssl.org/docs/apps/ciphers.html
I had no luck leaving SSLv3 enabled and just disabling SSLv3+CBC, the vulnerability tester I was using always complains if SSLv3 is enabled at all. I have ended up with this for the time being, will see what the fallout is from this. SSLCipherList=AES:ALL:!aNULL:!eNULL:!DES:+RC4:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:@STRENGTH |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
I would not leave SSLv3 enabled after just disabling the CBC ciphers. That pretty much just leaves SSLv3 to use the RC4 ciphers, which are even more exploitable than the CBC. You really should disable SSLv3 in its entirety to avoid any relatively simple exploits.
For the syntax - yes, it is the OpenSSL one since SpamFilter's SSL libraries are based on that. The cipher list you're using looks pretty good. Another one we've tested for a while with decent results is this one: AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:HIGH:!MD5:!aNULL:!EDH |
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.461 seconds.