Print Page | Close Window

Perfect Forward Secrecy

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7099
Printed Date: 27 December 2024 at 2:10am


Topic: Perfect Forward Secrecy
Posted By: ois
Subject: Perfect Forward Secrecy
Date Posted: 17 September 2014 at 9:32am
Does SpamFilter support "Perfect Forward Secrecy  https://de.wikipedia.org/wiki/Folgenlosigkeit_%28Kryptographie%29" rel="nofollow - This is a big issue in Germany. 




Replies:
Posted By: LogSat
Date Posted: 17 September 2014 at 2:05pm
ois,

Forward Secrecy (the ECDHE ciphers) are currently not enabled in SpamFilter. We have recently been asked to add support for it in SpamFilter, and since the OpenSSL libraries used by the new SpamFilter 4.6 do have support for them this will probably be implemented soon.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 18 September 2014 at 3:47am
Tnx, there is hot pressure from the german government. We've to fix this ASAP. 
Rgds, Fritz


Posted By: ois
Date Posted: 23 April 2015 at 10:01am
Hi, what's about this issue?
Regards Fritz



Posted By: LogSat
Date Posted: 23 April 2015 at 10:44pm
We had placed it on hold as we recently released a new version of SpamFilter that features a separate GUI to control SpamFilter's service under Windows 2008/2012, in in these versions of Windows managing the SpamFilter service via the Interactive Services Detection screen was very inconvenient.

We'll resume to attempt support for this shortly.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 29 April 2015 at 8:32am
Hi Roberto,
we have to fix the PFS-issue until the 10th of may. Otherwise we'll get a lot of trouble with the german goverment. Is it possible to force the PFS fix?

Regards, Fritz
OIS


Posted By: LogSat
Date Posted: 29 April 2015 at 4:05pm
ois,

In our internal alpha version we added the ability to have user-configurable cipher lists, which will allow to obtain much higher security as in this sample report below. We're still working to add FPS support, but are not there yet - there are good chances we'll be able to meet your deadline, but I cannot say for certain at this point.

c:~ c$ ~/testssl.sh --starttls smtp 10.211.55.7:25


#########################################################

testssl.sh v2.2  (https://testssl.sh)

($Id: testssl.sh,v 1.151 2014/12/08 09:32:50 dirkw Exp $)


   This program is free software. Redistribution + 

   modification under GPLv2 is permitted. 

   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!


 Note: you can only check the server with what is

 available (ciphers/protocols) locally on your machine!

#########################################################


 Using "OpenSSL 1.0.2a 19 Mar 2015" from

 cmctrf2.local:/usr/local/bin/openssl

 (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")



Testing now (2015-04-29 16:00) ---> 10.211.55.7:25 (10.211.55.7) <---


 rDNS (10.211.55.7):      - 


 Couldn't determine what's running on port 25, assuming not HTTP


--> Testing Protocols 


 SSLv2      not offered (OK) 

 SSLv3      not offered (OK) 

 TLSv1      offered (OK) 

 TLSv1.1    offered (OK) 

 TLSv1.2    offered (OK) 


--> Testing standard cipher lists 


 Null Cipher              not offered (OK) 

 Anonymous NULL Cipher    not offered (OK) 

 Anonymous DH Cipher      not offered (OK) 

 40 Bit encryption        not offered (OK) 

 56 Bit encryption        Local problem: No 56 Bit encryption configured in /usr/local/bin/openssl 

 Export Cipher (general)  not offered (OK) 

 Low (<=64 Bit)           not offered (OK) 

 DES Cipher               not offered (OK) 

 Triple DES Cipher        offered

 Medium grade encryption  not offered

 High grade encryption    offered (OK) 


--> Testing server defaults (Server Hello) 


 Negotiated protocol       TLSv1.2 

 Negotiated cipher         AES256-GCM-SHA384 


 Server key size           2048 bit

 TLS server extensions     renegotiation info, session ticket, heartbeat

 Session Tickets RFC 5077  300 seconds

 OCSP stapling             not offered


--> Testing specific vulnerabilities 


 Renegotiation (CVE 2009-3555)             Patched Server detected (0,1), probably ok 

 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)  (not using HTTP anyway)


--> Testing all locally available ciphers against the server 


Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits

-------------------------------------------------------------------------

 x9d     AES256-GCM-SHA384              RSA        AESGCM     256                                                                                     

 x3d     AES256-SHA256                  RSA        AES        256                                                                                     

 x35     AES256-SHA                     RSA        AES        256                                                                                     

 x84     CAMELLIA256-SHA                RSA        Camellia   256                                                                                     

 x9c     AES128-GCM-SHA256              RSA        AESGCM     128                                                                                     

 x3c     AES128-SHA256                  RSA        AES        128                                                                                     

 x2f     AES128-SHA                     RSA        AES        128                                                                                     

 x41     CAMELLIA128-SHA                RSA        Camellia   128                                                                                     

 x0a     DES-CBC3-SHA                   RSA        3DES       168                                                                                     


--> Checking RC4 Ciphers 


no RC4 ciphers detected (OK) 


--> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here


No PFS available 


Done now (2015-04-29 16:00) ---> 10.211.55.7:25 (10.211.55.7) <---




-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: LogSat
Date Posted: 06 May 2015 at 11:07pm
ois,

We have good news on the FPS ciphers. We're testing an internal alpha version now that is able to support them. We will likely release it publicly within the next 3-4 days. 


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 07 May 2015 at 6:46am
nice! 


Posted By: LogSat
Date Posted: 10 May 2015 at 9:55pm
ois,

FYI we have pre-released SpamFilter v4.7.0.136 in the registered user area - this build supports PFS as requested.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 11 May 2015 at 5:32am
Hi Roberto, it works Smile

I hope the goverment is also satisfied. We will see. Tnx for your kindly support and help us, to hold this deadline. Thumbs Up

Regards, Fritz
OIS




Posted By: yapadu
Date Posted: 20 May 2015 at 11:23pm
Can you provide some more information on how to use the SSLCiperList, looks like the following was added to the INI in a recent version update.

SSLCipherList=AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH

Where do we find out the syntax for this and what we can add?  Is it open ssl or something?

Like others have mentioned in this board I also have problems if I disable anything :-(

If I disable TLS 1, someone is going to complain.  The issue is probably the sending server, but I look like the badguy so I leave it enabled.

The recent version disabled SSL3 due to the POODLE vulnerability.  Guess what happens, I start getting email from people that they can't get email from someone.  It is happening on a large enough scale that I must enable SSL3 again.

From my POOLE reading, it looks like if you disable SSLv3+CBC you might not be vulnerable?  I would like to try and disable the CBC cipher but no idea how to go about it.



-------------
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.


Posted By: yapadu
Date Posted: 21 May 2015 at 12:27am
I found the SSLCipherList is openSSL based.

Some instructions here for anyone who is interested:

http://www.openssl.org/docs/apps/ciphers.html" rel="nofollow - https://www.openssl.org/docs/apps/ciphers.html

I had no luck leaving SSLv3 enabled and just disabling SSLv3+CBC, the vulnerability tester I was using always complains if SSLv3 is enabled at all.

I have ended up with this for the time being, will see what the fallout is from this.

SSLCipherList=AES:ALL:!aNULL:!eNULL:!DES:+RC4:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:@STRENGTH


-------------
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.


Posted By: LogSat
Date Posted: 21 May 2015 at 10:45pm
I would not leave SSLv3 enabled after just disabling the CBC ciphers. That pretty much just leaves SSLv3 to use the RC4 ciphers, which are even more exploitable than the CBC. You really should disable SSLv3 in its entirety to avoid any relatively simple exploits.

For the syntax - yes, it is the OpenSSL one since SpamFilter's SSL libraries are based on that. The cipher list you're using looks pretty good. Another one we've tested for a while with decent results is this one:
AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:HIGH:!MD5:!aNULL:!EDH




-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window