View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001351 | Main CAcert Website | misc | public | 2014-12-14 12:50 | 2015-01-25 19:55 |
Reporter | Mathias | Assigned To | jandd | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | not fixable | ||
Product Version | 2014 Q4 | ||||
Target Version | 2014 Q4 | ||||
Summary | 0001351: {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure | ||||
Description | Hi! SSL/TLS issues on {community,email}.cacert.org (SMTP via STARTTLS): - SSLv2 enabled - SSLv3 enabled (POODLE attack) - anonymous cipher suites enabled - no TLS v1.1 - no TLS v1.2 - 0 bit ciphers accepted For short: very extremely bad :-( As this host announces itself as 220 email.cacert.org ESMPT mailserver only, I cannot give any further hints. I do hope that there *is* indeed a real mailserver running on this host and that you do *not* let roundcube handle the whole MTA functionality via PHP... Thanks for looking into this issue. Mathias | ||||
Additional Information | email still runs on Lenny :-( | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
|
|
Argh, sorry for using the same subject as in 0001350. My copy & paste error. Instead, it rather should be titled as "{community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure" Sorry. |
|
There is not much we can do currently. I added the following to /etc/postfix/main.cf: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_exclude_ciphers = aNULL, MD5, DES most more modern TLS options are not supported in the postfix version of the Debian release used on email/community (Debian Lenny). An update/replacement is urgently needed. sslize results: SCAN RESULTS FOR COMMUNITY.CACERT.ORG:587 - 213.154.225.228:587 --------------------------------------------------------------- * Deflate Compression: VULNERABLE - Server supports Deflate compression * Session Renegotiation: Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations Secure Renegotiation: OK - Supported * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * Certificate - Content: SHA1 Fingerprint: 9b8e0a6896e5c8e6e68ed810313f7c2ca84ee13f Common Name: community.cacert.org Issuer: CA Cert Signing Authority Serial Number: 0ECA93 Not Before: Apr 8 21:21:02 2014 GMT Not After: Apr 7 21:21:02 2016 GMT Signature Algorithm: sha512WithRSAEncryption Key Size: 4096 bit Exponent: 65537 (0x10001) X509v3 Subject Alternative Name: {'othername': ['<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>'], 'DNS': ['community.cacert.org', 'nocert.community.cacert.org', 'cert.community.cacert.org', 'email.cacert.org', 'nocert.email.cacert.org', 'cert.email.cacert.org']} * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches "Mozilla NSS - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Microsoft - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Apple - OS X 10.9.4" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Java 6 - Update 65" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Certificate Chain Received: ['community.cacert.org'] * Certificate - OCSP Stapling: NOT SUPPORTED - Server did not send back an OCSP response. * SSLV2 Cipher Suites: Server rejected all cipher suites. * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. * TLSV1_2 Cipher Suites: Server rejected all cipher suites. * TLSV1_1 Cipher Suites: Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok Accepted: DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok RC4-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok EDH-RSA-DES-CBC3-SHA DH-1024 bits 112 bits 250 2.0.0 Ok DES-CBC3-SHA - 112 bits 250 2.0.0 Ok * SSLV3 Cipher Suites: Server rejected all cipher suites. SCAN COMPLETED IN 9.03 S ------------------------ |
|
https://starttls.info/check/email.cacert.org gives us a grade A now |
|
|
|
From a today's point of view the SSL/TLS configuration is still unsatisfying (no TLS v1.1 and v1.2) but we are safe at least for the moment. The urgently needed update/replacement of the VERY OLD system is surely a remaining source of problems. But it is so no longer for this specific problem. Therefore, I close this bug "not fixable". Thanks, Jan, for digging deep in this issue. |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-12-14 12:50 | Mathias | New Issue | |
2014-12-14 12:50 | Mathias | File Added: STARTTLS-email.cacert.org-20141214.png | |
2014-12-14 12:51 | Mathias | Relationship added | child of 0001241 |
2014-12-14 13:39 | Mathias | Note Added: 0005175 | |
2014-12-23 20:24 | BenBE | Assigned To | => jandd |
2014-12-23 20:24 | BenBE | Status | new => needs work |
2014-12-23 20:24 | BenBE | Product Version | => 2014 Q4 |
2014-12-23 20:24 | BenBE | Target Version | => 2014 Q4 |
2014-12-27 10:43 | jandd | Summary | {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs => {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure |
2014-12-27 10:43 | jandd | Additional Information Updated | |
2014-12-27 11:02 | jandd | Note Added: 0005206 | |
2014-12-27 11:02 | jandd | Status | needs work => confirmed |
2014-12-27 11:05 | jandd | Note Added: 0005207 | |
2015-01-25 19:36 | Mathias | File Added: STARTTLS-email.cacert.org-20150125.png | |
2015-01-25 19:48 | Mathias | Relationship added | related to 0001350 |
2015-01-25 19:55 | Mathias | Note Added: 0005271 | |
2015-01-25 19:55 | Mathias | Status | confirmed => closed |
2015-01-25 19:55 | Mathias | Resolution | open => not fixable |