View Issue Details

IDProjectCategoryView StatusLast Update
0001350Main CAcert Websitemiscpublic2015-01-25 21:13
ReporterMathiasAssigned Tojandd 
PriorityurgentSeveritymajorReproducibilityalways
Status confirmedResolutionopen 
Product Version2014 Q4 
Target Version2014 Q4Fixed in Version 
Summary0001350: {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs
DescriptionHi!

SSL/TLS issues on {community,email}.cacert.org (roundcube via HTTPS):
- anonymous cipher suites enabled
- SSLv3 enabled (POODLE attack)
- no TLS v1.1
- no TLS v1.2
- TLS compression enabled (CRIME attack)
- no secure renegotiation (RFC 5746)
- no forward secrecy with reference browser provided

For short: very extremely bad :-(

Please see
https://lists.cacert.org/wws/arc/cacert-sysadm/2014-12/msg00000.html

Thanks for looking into this issue.

Mathias
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001351 closedjandd {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure 
child of 0001241 needs feedbackjandd cacert.org SSL/TLS configuration is bad on many levels 

Activities

Mathias

2014-12-14 12:38

reporter  

SSL_Labs-email.cacert.org-grade_F-20141214.pdf (169,102 bytes)

jandd

2014-12-27 11:52

administrator   ~0005209

did the best to improve the configuration but the possibilities are very limited because the community webmail system is still on Apache 2.2.3/Debian Etch and does not support modern TLS versions or cipher suites.

At least we get a grade B at ssllabs now.

Mathias

2015-01-25 17:42

reporter  

SSL_Labs-email.cacert.org-grade_B-20150125.pdf (100,750 bytes)

Mathias

2015-01-25 17:53

reporter   ~0005268

Debian 4.0 Etch had received official support until 15 Feb 2010 - which is nearly five years ago! Hm, if this system isn't actually used/maintained by anybody, there might be someone to press the "big red button" for it...

Mathias

2015-01-25 18:10

reporter   ~0005269

I just saw on https://wiki.cacert.org/SystemAdministration/Systems/Email that pressing the "red button" is not a good idea.

From a today's point of view the SSL/TLS configuration is still not satisfying. But the main cause and source of problems (also the ones of this bug) is the VERY OLD system. So, I leave this bug open with stomach pains :-)

However, thanks, Jan, for digging so deep in this issue.

Issue History

Date Modified Username Field Change
2014-12-14 12:38 Mathias New Issue
2014-12-14 12:38 Mathias File Added: SSL_Labs-email.cacert.org-grade_F-20141214.pdf
2014-12-14 12:39 Mathias Relationship added child of 0001241
2014-12-23 20:23 BenBE Assigned To => jandd
2014-12-23 20:23 BenBE Status new => needs work
2014-12-23 20:23 BenBE Product Version => 2014 Q4
2014-12-23 20:23 BenBE Target Version => 2014 Q4
2014-12-27 11:52 jandd Note Added: 0005209
2014-12-27 11:52 jandd Status needs work => confirmed
2015-01-25 17:42 Mathias File Added: SSL_Labs-email.cacert.org-grade_B-20150125.pdf
2015-01-25 17:53 Mathias Note Added: 0005268
2015-01-25 18:10 Mathias Note Added: 0005269
2015-01-25 19:48 Mathias Relationship added related to 0001351