|
|
STARTTLS-email.cacert.org-20141214.png (69,369 bytes) |
|
|
Argh, sorry for using the same subject as in 0001350. My copy & paste error. Instead, it rather should be titled as "{community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure" Sorry. |
|
|
There is not much we can do currently. I added the following to /etc/postfix/main.cf: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_exclude_ciphers = aNULL, MD5, DES most more modern TLS options are not supported in the postfix version of the Debian release used on email/community (Debian Lenny). An update/replacement is urgently needed. sslize results: SCAN RESULTS FOR COMMUNITY.CACERT.ORG:587 - 213.154.225.228:587 --------------------------------------------------------------- * Deflate Compression: VULNERABLE - Server supports Deflate compression * Session Renegotiation: Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations Secure Renegotiation: OK - Supported * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * Certificate - Content: SHA1 Fingerprint: 9b8e0a6896e5c8e6e68ed810313f7c2ca84ee13f Common Name: community.cacert.org Issuer: CA Cert Signing Authority Serial Number: 0ECA93 Not Before: Apr 8 21:21:02 2014 GMT Not After: Apr 7 21:21:02 2016 GMT Signature Algorithm: sha512WithRSAEncryption Key Size: 4096 bit Exponent: 65537 (0x10001) X509v3 Subject Alternative Name: {'othername': ['<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>'], 'DNS': ['community.cacert.org', 'nocert.community.cacert.org', 'cert.community.cacert.org', 'email.cacert.org', 'nocert.email.cacert.org', 'cert.email.cacert.org']} * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches "Mozilla NSS - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Microsoft - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Apple - OS X 10.9.4" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Java 6 - Update 65" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Certificate Chain Received: ['community.cacert.org'] * Certificate - OCSP Stapling: NOT SUPPORTED - Server did not send back an OCSP response. * SSLV2 Cipher Suites: Server rejected all cipher suites. * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. * TLSV1_2 Cipher Suites: Server rejected all cipher suites. * TLSV1_1 Cipher Suites: Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok Accepted: DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok RC4-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok EDH-RSA-DES-CBC3-SHA DH-1024 bits 112 bits 250 2.0.0 Ok DES-CBC3-SHA - 112 bits 250 2.0.0 Ok * SSLV3 Cipher Suites: Server rejected all cipher suites. SCAN COMPLETED IN 9.03 S ------------------------ |
|
|
https://starttls.info/check/email.cacert.org gives us a grade A now |
|
|
STARTTLS-email.cacert.org-20150125.png (59,665 bytes) |
|
|
From a today's point of view the SSL/TLS configuration is still unsatisfying (no TLS v1.1 and v1.2) but we are safe at least for the moment. The urgently needed update/replacement of the VERY OLD system is surely a remaining source of problems. But it is so no longer for this specific problem. Therefore, I close this bug "not fixable". Thanks, Jan, for digging deep in this issue. |
- Anonymous
