View Issue Details

IDProjectCategoryView StatusLast Update
0001241Main CAcert Websitemiscpublic2019-01-24 11:36
ReporterhannoAssigned Tojandd 
PriorityhighSeveritymajorReproducibilityalways
Status needs feedbackResolutionreopened 
Product Version 
Target VersionFixed in Version2014 Q4 
Summary0001241: cacert.org SSL/TLS configuration is bad on many levels
DescriptionI just had a look how the cacert.org webpage performs in its SSL/TLS-Settings. See the Qualys SSL test:
https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org

It's very bad. Issues that should be adressed:
* It doesn't support TLS 1.1 and TLS 1.2. There have been various issues with older TLS versions due to the crappy way it combines CBC and MAC, so everyone these days recommends to support TLS 1.2 with GCM.
* It uses RC4 and MD5 as it's first cipher. RC4 should be avoided and MD5 has been extremely broken for a very very long time.
* It doesn't ship the class3 as a certificate chain, so people importing the cacert root in their browser will still not see the page cert as valid.
* Only very limited support for Perfect Forward Secrecy.
* DH key exchange with 1024 bit only.

I can give more details and explanations for each of those issues if needed.
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

parent of 0001303 closedjandd CATS.cacert.org TLS of cats.cacert.org is weak and outdated 
parent of 0001314 closedwytze Main CAcert Website SSL/TLS support for SSL3 protocol and 3DES cipher suite should be disabled 
parent of 0001342 closed Main CAcert Website wiki.cacert.org still offers SSLv3 
parent of 0001346 closedjandd Main CAcert Website irc.cacert.org SSL/TLS configuration rated grade F on SSL Labs. 
parent of 0001347 closedjandd Main CAcert Website list.cacert.org SSL/TLS configuration rated grade F on SSL Labs 
parent of 0001348 closedjandd Main CAcert Website svn.cacert.org SSL/TLS configuration rated grade B on SSL Labs 
parent of 0001349 closedNEOatNHNG Infrastructure board.cacert.org SSL/TLS configuration rated grade C on SSL Labs 
parent of 0001350 confirmedjandd Main CAcert Website {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs 
parent of 0001351 closedjandd Main CAcert Website {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure 
parent of 0001352 closedjandd Main CAcert Website list.cacert.org SSL/TLS configuration for SMTP is completely insecure 
parent of 0001353 closedNEOatNHNG translations.cacert.org {l10,translations}.cacert.org SSL/TLS configuration rated grade C on SSL Labs 
parent of 0001370 closed Infrastructure jenkins.cacert.org SSL/TLS configuration rated grade C on SSL Labs 
related to 0001262 closedwytze Main CAcert Website SslLabs B rating (if trust issues are ignored) for cacert.org SSL/TLS setup 
related to 0001301 closedNEOatNHNG Main CAcert Website sanitizeHTML function converts input which contains non-ascii characters to an empty string 
Not all the children of this issue are yet resolved or closed.

Activities

NEOatNHNG

2014-03-10 18:09

administrator   ~0004626

Cipher suite configuration should probably changed to something like

# CAcert cipher suite configuration
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:+3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL


That doesn't solve the TLS 1.1/1.2 issue, that needs a system upgrade.

The class3 certificate is not needed in the chain because the certificate is directly signed by the root.

DH keys with more than 1024 bit are only available in Apache >=2.4.7. Otherwise we would need to patch it ourselves and I wouldn't go down that road right now. That's why in the above cipher spec ECDH is preferred over DH because there the EC key size offers more security than 1024 bit DH. Once Apache 2.4.7 is deployed we should probably switch those because of some uncertainties in EC.

NEOatNHNG

2014-03-11 23:08

administrator   ~0004635

New cipher suite configuration was deployed. More ciphers will be available after system update.

hanno

2014-07-13 12:32

reporter   ~0004885

I'm surprised that this has been closed as most issues I mentioned are not fixed at all.

Also, it seems currently the webpage is vulnerable to the CCS injection bug. (it is not THAT severe, because the known attacks only affect newer openssl-versions, but still Adam Langley pointed out that there are likely other attacks without that limitation).

sebix

2014-09-07 14:10

reporter   ~0004990

cats.cacert.org has an F-rating: https://www.ssllabs.com/ssltest/analyze.html?d=cats.cacert.org And uses an outdated OpenSSL-Version from prior to June 2014 (nearly 3 full months ago!), as it's affected by CVE-2014-0224. It includes ciphers like RC2, RC4, DES, DES40.
secure.cacert.org and ocsp.cacert.org only provide up to TLS1.0: https://www.ssllabs.com/ssltest/analyze.html?d=secure.cacert.org https://www.ssllabs.com/ssltest/analyze.html?d=ocsp.cacert.org
infrastructure.cacert.org uses a cert for monitor.cacert.org
finance.cacert.org uses a cert from board.cacert.org

For state-of-the-art crypto in TLS I recommend using 'Applied Crypto Hardening' by https://bettercrypto.org

CaCert is a showcase project on how crypto should be done and represents an important part of the Web of trust. On the other hand it uses vulnerable and weak crypto on some subdomains.

wytze

2014-09-07 14:39

developer   ~0004991

Please note that this bug primarily concerns www.cacert.org and secure.cacert.org. For these services, we are waiting on the approval of a fairly trivial application bug fix, after which we can re-do the upgrade of the chroot OS environment to Debian Wheezy -- including *much* better openssl support, which will make a considerable rating difference. Still, even without that upgrade, the current SSL Labs rating of these services is "B" when we disregard the trust issue -- an issue, which can only be resolved by getting the CAcert root certificate included in major browser distributions.

For ocsp.cacert.org, SSL is fairly unimportant: we are receiving ZERO real OCSP requests over SSL (https). The https channel is only used by a few sites trying to establish the security of the site it seems (140 reqs in one full month ...). Still, the "B" rating (again disregarding the trust issue) is fairly decent. We can probably improve it by upgrading the OS to a more recent version.

cats.cacert.org is another category: this system is not managed by the critical system admin team. Please file a separate bug for this system, so the problem can be assigned to the appropriate sysadmin. At first look, it would seem that a simple reconfig of the Apache webserver there would make a major difference. You could also e-mail cats-admin@cacert.org directly.

sebix

2014-09-07 15:24

reporter   ~0004992

Thanks for the response and the explanations, so this issue currently blocked by 0001260.
For cats.cacert.org I filed a separate issue, referencing this one.

wytze

2014-09-07 15:41

developer   ~0004993

This issue is specifically blocked by https://bugs.cacert.org/view.php?id=1301.
https://bugs.cacert.org/view.php?id=1260 has a much wider scope, we don't have to wait for a full fix of that one to address the current issue.

wytze

2014-10-18 10:49

developer   ~0005056

By upgrading the CAcert chroot application environment to Debian Wheezy on October 17, 2014 (see https://lists.cacert.org/wws/arc/cacert-systemlog/2014-10/msg00007.html), the SSL support of the cacert.org main webserver has been brought up-to-date. While there is still scope for improvement (e.g. dropping SSLv3 protocol support, dropping 3DES cipher support), the issues raised in this bug entry appear to have been resolved. I will add a note with the current report from www.ssllabs.com for www.cacert.org.

wytze

2014-10-18 10:50

developer  

CAcert-SSLLabsreport-20141018.pdf (111,978 bytes)

wytze

2014-10-18 10:52

developer   ~0005057

Check the attached file https://bugs.cacert.org/file_download.php?file_id=385&type=bug for the SSLLabs report for www.cacert.org on October 18, 2014.

hanno

2014-10-19 15:24

reporter   ~0005059

This issue has now been closed the second time without being fixed. It's getting ridiculous.

Unfixed and mentioned in the original report:
* DH key exchange with insecure length

Other issues:
* No ocsp stapling
* SSLv3 is enabled. If you haven't heard it: SSLv3 is insecure. Completely. This wasn't such a big issue when this bug was opened, but we know better now (POODLE attack 4 days ago)

wytze

2014-10-19 16:04

developer   ~0005060

I did not close the issue, but only reported a significant fix, setting status to "solved?" (note the question mark). Another evaluation would have to take place before the issue could be closed. Evidently it cannot be closed yet.

As for the issues mentioned:
* DH key exchange with insecure length
- DH key length was indeed not addressed by the reported fix.
  Increasing the key length is desirable of course, but currently we are limited
  by the options of the deployed software: Debian Stable (Wheezy) with Apache2
  2.2.22. This will have to wait until Debian Jessy gets promoted to Stable.
* No OCSP stapling
- Not mentioned in the original issue. I agree that OCSP stapling is a nice
  feature to have, but again we are limited by Debian/Apache. OCSP stapling is
  supported from Apache 2.3.3 onwards I think, so again Debian Jessy will be
  fine.
* SSLv3 is enabled
- Yes, it is and will remain so for another while because we are visited by
  clients with MSIE 6.0, which we must support. But we are planning to phase
  them out. In the meantime, we can recommend everyone to use a contemporary
  browser to visit www.cacert.org; such browsers will support TLS_FALLBACK_SCSV,
  which we also support at the server side, so they are protected against
  unintended protocol downgrades.

wytze

2014-10-20 13:22

developer   ~0005061

The SSLv3 issue has been split off in a separate issue:
   https://bugs.cacert.org/view.php?id=1303

wytze

2014-12-01 15:22

developer   ~0005139

On December 1, 2014, support for SSL3 and 3DES has been disabled on the CAcert webserver, and HSTS has been enabled for additional security hardening.
Check for details https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html

Other options mentioned by the reporter of this issue:
- DH key length
- OCSP Stapling
are still waiting for the Debian project promoting Jessy to stable.

wytze

2014-12-01 15:22

developer  

CAcert-SSLLabsreport-20141201.pdf (113,642 bytes)

wytze

2014-12-01 15:23

developer   ~0005140

Check the attached file https://bugs.cacert.org/file_download.php?file_id=393&type=bug for the SSLLabs report for www.cacert.org on December 1, 2014.

sebix

2014-12-14 10:47

reporter   ~0005171

If I haven't overseen something, this issue has been successfully solved for most sites.
However, lists.cacert.org still supports SSL3 (but all TLS versions up to 1.2) and anonymous ciphers, and the cipher preference could be better. See https://www.ssllabs.com/ssltest/analyze.html?d=lists.cacert.org for more details.

Mathias

2014-12-14 13:36

reporter   ~0005174

Hi!

To summarize things, I checked the situation on the following hosts that I know:

- blog.cacert.org: seems OK
- board.cacert.org: NOT OK, see 0001349
- bugs.cacert.org: seems OK
- cats.cacert.org: seems OK
- email.cacert.org: NOT OK, see 0001350 (HTTPS), 0001351 (SMTP via STARTTLS) - sorry for using the same subject (copy&paste error)
- git.cacert.org: seems OK
- irc.cacert.org: NOT OK, see 0001346
- issue.cacert.org: seems OK
- lists.cacert.org: NOT OK, see 0001347 (HTTPS), 0001352 (SMTP via STARTTLS)
- secure.cacert.org: seems OK
- svn.cacert.org: NOT OK, see 0001348
- translations.cacert.org: NOT OK, see 0001353
- wiki.cacert.org: seems OK
- www.cacert.org: seems OK

Are there any hosts missing?

I think it's too early for the "all clear" signal...

If there's a possibility to help in further examining *and* fixing these issues, please give me a hint.

Regards
Mathias

wytze

2019-01-24 11:36

developer   ~0005749

Reassigning this to jandd because the only issue blocking closing this one is 0001350, which is assigned to jandd.

Issue History

Date Modified Username Field Change
2014-01-27 12:41 hanno New Issue
2014-03-10 18:09 NEOatNHNG Note Added: 0004626
2014-03-10 18:10 NEOatNHNG Assigned To => wytze
2014-03-10 18:10 NEOatNHNG Status new => needs work
2014-03-11 23:08 NEOatNHNG Note Added: 0004635
2014-03-11 23:08 NEOatNHNG Status needs work => solved?
2014-03-11 23:08 NEOatNHNG Fixed in Version => 2014 Q1
2014-03-11 23:08 NEOatNHNG Resolution open => fixed
2014-04-01 21:37 NEOatNHNG Relationship added related to 0001262
2014-07-01 21:56 INOPIAE Status solved? => closed
2014-07-13 12:32 hanno Note Added: 0004885
2014-07-13 12:32 hanno Status closed => needs feedback
2014-07-13 12:32 hanno Resolution fixed => reopened
2014-09-07 14:10 sebix Note Added: 0004990
2014-09-07 14:10 sebix Priority normal => high
2014-09-07 14:10 sebix Severity minor => major
2014-09-07 14:39 wytze Note Added: 0004991
2014-09-07 15:10 sebix Relationship added parent of 0001303
2014-09-07 15:24 sebix Note Added: 0004992
2014-09-07 15:24 sebix Relationship added related to 0001260
2014-09-07 15:37 wytze Relationship added related to 0001301
2014-09-07 15:41 wytze Note Added: 0004993
2014-10-18 10:44 wytze Relationship deleted related to 0001260
2014-10-18 10:49 wytze Note Added: 0005056
2014-10-18 10:49 wytze Status needs feedback => solved?
2014-10-18 10:49 wytze Fixed in Version 2014 Q1 => 2014 Q4
2014-10-18 10:49 wytze Resolution reopened => fixed
2014-10-18 10:50 wytze File Added: CAcert-SSLLabsreport-20141018.pdf
2014-10-18 10:52 wytze Note Added: 0005057
2014-10-19 15:24 hanno Note Added: 0005059
2014-10-19 15:24 hanno Status solved? => needs feedback
2014-10-19 15:24 hanno Resolution fixed => reopened
2014-10-19 16:04 wytze Note Added: 0005060
2014-10-20 13:20 wytze Relationship added parent of 0001314
2014-10-20 13:22 wytze Note Added: 0005061
2014-12-01 15:22 wytze Note Added: 0005139
2014-12-01 15:22 wytze File Added: CAcert-SSLLabsreport-20141201.pdf
2014-12-01 15:23 wytze Note Added: 0005140
2014-12-11 16:38 Mathias Relationship added parent of 0001342
2014-12-14 10:47 sebix Note Added: 0005171
2014-12-14 11:57 Mathias Relationship added parent of 0001346
2014-12-14 11:58 Mathias Relationship added parent of 0001347
2014-12-14 12:13 Mathias Relationship added parent of 0001348
2014-12-14 12:25 Mathias Relationship added parent of 0001349
2014-12-14 12:39 Mathias Relationship added parent of 0001350
2014-12-14 12:51 Mathias Relationship added parent of 0001351
2014-12-14 13:07 Mathias Relationship added parent of 0001352
2014-12-14 13:21 Mathias Relationship added parent of 0001353
2014-12-14 13:36 Mathias Note Added: 0005174
2015-02-07 20:46 Mathias Relationship added parent of 0001370
2019-01-24 11:35 wytze Assigned To wytze => jandd
2019-01-24 11:36 wytze Note Added: 0005749