View Issue Details

IDProjectCategoryView StatusLast Update
0001351Main CAcert Websitemiscpublic2015-01-25 19:55
ReporterMathiasAssigned Tojandd 
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionnot fixable 
Product Version2014 Q4 
Target Version2014 Q4Fixed in Version 
Summary0001351: {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure
DescriptionHi!

SSL/TLS issues on {community,email}.cacert.org (SMTP via STARTTLS):

- SSLv2 enabled
- SSLv3 enabled (POODLE attack)
- anonymous cipher suites enabled
- no TLS v1.1
- no TLS v1.2
- 0 bit ciphers accepted

For short: very extremely bad :-(

As this host announces itself as

  220 email.cacert.org ESMPT mailserver

only, I cannot give any further hints. I do hope that there *is* indeed a real mailserver running on this host and that you do *not* let roundcube handle the whole MTA functionality via PHP...

Thanks for looking into this issue.

Mathias
Additional Informationemail still runs on Lenny :-(
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001350 confirmedjandd {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs 
child of 0001241 needs feedbackjandd cacert.org SSL/TLS configuration is bad on many levels 

Activities

Mathias

2014-12-14 12:50

reporter  

Mathias

2014-12-14 13:39

reporter   ~0005175

Argh, sorry for using the same subject as in 0001350. My copy & paste error.
Instead, it rather should be titled as

"{community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure"

Sorry.

jandd

2014-12-27 11:02

administrator   ~0005206

There is not much we can do currently. I added the following to /etc/postfix/main.cf:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = aNULL, MD5, DES

most more modern TLS options are not supported in the postfix version of the Debian release used on email/community (Debian Lenny). An update/replacement is urgently needed.

sslize results:

 SCAN RESULTS FOR COMMUNITY.CACERT.ORG:587 - 213.154.225.228:587
 ---------------------------------------------------------------

  * Deflate Compression:
      VULNERABLE - Server supports Deflate compression

  * Session Renegotiation:
      Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation: OK - Supported

  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed

  * Certificate - Content:
      SHA1 Fingerprint: 9b8e0a6896e5c8e6e68ed810313f7c2ca84ee13f
      Common Name: community.cacert.org
      Issuer: CA Cert Signing Authority
      Serial Number: 0ECA93
      Not Before: Apr 8 21:21:02 2014 GMT
      Not After: Apr 7 21:21:02 2016 GMT
      Signature Algorithm: sha512WithRSAEncryption
      Key Size: 4096 bit
      Exponent: 65537 (0x10001)
      X509v3 Subject Alternative Name: {'othername': ['<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>', '<unsupported>'], 'DNS': ['community.cacert.org', 'nocert.community.cacert.org', 'cert.community.cacert.org', 'email.cacert.org', 'nocert.email.cacert.org', 'cert.email.cacert.org']}

  * Certificate - Trust:
      Hostname Validation: OK - Subject Alternative Name matches
      "Mozilla NSS - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
      "Microsoft - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
      "Apple - OS X 10.9.4" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
      "Java 6 - Update 65" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
      Certificate Chain Received: ['community.cacert.org']

  * Certificate - OCSP Stapling:
      NOT SUPPORTED - Server did not send back an OCSP response.

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * Session Resumption:
      With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted.

  * TLSV1_2 Cipher Suites:
      Server rejected all cipher suites.

  * TLSV1_1 Cipher Suites:
      Server rejected all cipher suites.

  * TLSV1 Cipher Suites:
      Preferred:
                 DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok
      Accepted:
                 DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok
                 AES256-SHA - 256 bits 250 2.0.0 Ok
                 DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok
                 RC4-SHA - 128 bits 250 2.0.0 Ok
                 AES128-SHA - 128 bits 250 2.0.0 Ok
                 EDH-RSA-DES-CBC3-SHA DH-1024 bits 112 bits 250 2.0.0 Ok
                 DES-CBC3-SHA - 112 bits 250 2.0.0 Ok

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.



 SCAN COMPLETED IN 9.03 S
 ------------------------

jandd

2014-12-27 11:05

administrator   ~0005207

https://starttls.info/check/email.cacert.org gives us a grade A now

Mathias

2015-01-25 19:36

reporter  

Mathias

2015-01-25 19:55

reporter   ~0005271

From a today's point of view the SSL/TLS configuration is still unsatisfying (no TLS v1.1 and v1.2) but we are safe at least for the moment.

The urgently needed update/replacement of the VERY OLD system is surely a remaining source of problems. But it is so no longer for this specific problem. Therefore, I close this bug "not fixable".

Thanks, Jan, for digging deep in this issue.

Issue History

Date Modified Username Field Change
2014-12-14 12:50 Mathias New Issue
2014-12-14 12:50 Mathias File Added: STARTTLS-email.cacert.org-20141214.png
2014-12-14 12:51 Mathias Relationship added child of 0001241
2014-12-14 13:39 Mathias Note Added: 0005175
2014-12-23 20:24 BenBE Assigned To => jandd
2014-12-23 20:24 BenBE Status new => needs work
2014-12-23 20:24 BenBE Product Version => 2014 Q4
2014-12-23 20:24 BenBE Target Version => 2014 Q4
2014-12-27 10:43 jandd Summary {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs => {community,email}.cacert.org SSL/TLS configuration for SMTP is completely insecure
2014-12-27 10:43 jandd Additional Information Updated View Revisions
2014-12-27 11:02 jandd Note Added: 0005206
2014-12-27 11:02 jandd Status needs work => confirmed
2014-12-27 11:05 jandd Note Added: 0005207
2015-01-25 19:36 Mathias File Added: STARTTLS-email.cacert.org-20150125.png
2015-01-25 19:48 Mathias Relationship added related to 0001350
2015-01-25 19:55 Mathias Note Added: 0005271
2015-01-25 19:55 Mathias Status confirmed => closed
2015-01-25 19:55 Mathias Resolution open => not fixable