View Issue Details

IDProjectCategoryView StatusLast Update
0001350Main CAcert Websitemiscpublic2020-06-27 12:17
ReporterMathias Assigned Tojandd  
PriorityurgentSeveritymajorReproducibilityalways
Status solved?Resolutionfixed 
Product Version2014 Q4 
Target Version2014 Q4 
Summary0001350: {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs
DescriptionHi!

SSL/TLS issues on {community,email}.cacert.org (roundcube via HTTPS):
- anonymous cipher suites enabled
- SSLv3 enabled (POODLE attack)
- no TLS v1.1
- no TLS v1.2
- TLS compression enabled (CRIME attack)
- no secure renegotiation (RFC 5746)
- no forward secrecy with reference browser provided

For short: very extremely bad :-(

Please see
https://lists.cacert.org/wws/arc/cacert-sysadm/2014-12/msg00000.html

Thanks for looking into this issue.

Mathias
TagsNo tags attached.
Attached Files
Reviewed by
Test Instructions

Relationships

related to 0001351 closedjandd {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure 
child of 0001241 solved?jandd cacert.org SSL/TLS configuration is bad on many levels 

Activities

jandd

2014-12-27 11:52

administrator   ~0005209

did the best to improve the configuration but the possibilities are very limited because the community webmail system is still on Apache 2.2.3/Debian Etch and does not support modern TLS versions or cipher suites.

At least we get a grade B at ssllabs now.

Mathias

2015-01-25 17:53

reporter   ~0005268

Debian 4.0 Etch had received official support until 15 Feb 2010 - which is nearly five years ago! Hm, if this system isn't actually used/maintained by anybody, there might be someone to press the "big red button" for it...

Mathias

2015-01-25 18:10

reporter   ~0005269

I just saw on https://wiki.cacert.org/SystemAdministration/Systems/Email that pressing the "red button" is not a good idea.

From a today's point of view the SSL/TLS configuration is still not satisfying. But the main cause and source of problems (also the ones of this bug) is the VERY OLD system. So, I leave this bug open with stomach pains :-)

However, thanks, Jan, for digging so deep in this issue.

jandd

2020-06-27 12:17

administrator   ~0005888

email, webmail and community get a grade A (ignoring trust issues) now. https has been tested with the ssllabs test, smtp and imap have been tested using https://github.com/drwetter/testssl.sh

Issue History

Date Modified Username Field Change
2014-12-14 12:38 Mathias New Issue
2014-12-14 12:38 Mathias File Added: SSL_Labs-email.cacert.org-grade_F-20141214.pdf
2014-12-14 12:39 Mathias Relationship added child of 0001241
2014-12-23 20:23 BenBE Assigned To => jandd
2014-12-23 20:23 BenBE Status new => needs work
2014-12-23 20:23 BenBE Product Version => 2014 Q4
2014-12-23 20:23 BenBE Target Version => 2014 Q4
2014-12-27 11:52 jandd Note Added: 0005209
2014-12-27 11:52 jandd Status needs work => confirmed
2015-01-25 17:42 Mathias File Added: SSL_Labs-email.cacert.org-grade_B-20150125.pdf
2015-01-25 17:53 Mathias Note Added: 0005268
2015-01-25 18:10 Mathias Note Added: 0005269
2015-01-25 19:48 Mathias Relationship added related to 0001351
2020-06-27 12:17 jandd Status confirmed => solved?
2020-06-27 12:17 jandd Resolution open => fixed
2020-06-27 12:17 jandd Note Added: 0005888