View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001352 | Main CAcert Website | misc | public | 2014-12-14 13:07 | 2015-01-25 20:15 |
Reporter | Mathias | Assigned To | jandd | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2014 Q4 | ||||
Target Version | 2014 Q4 | ||||
Summary | 0001352: list.cacert.org SSL/TLS configuration for SMTP is completely insecure | ||||
Description | Hi! SSL/TLS issues on lists.cacert.org (SMTP via STARTTLS): - SSLv2 enabled - SSLv3 enabled (POODLE attack) - anonymous cipher suites enabled - no TLS v1.1 - no TLS v1.2 - 0 bit ciphers accepted For short: very extremely bad :-( This host announces itself as 220 lists.cacert.org ESMPT Postfix (Debian/GNU) so the sections about the Postfix MTA on the BetterCrypto.org website https://bettercrypto.org/ may serve as a first step to improve the current situation. Thanks for looking into this issue. Mathias | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Reviewed by | |||||
Test Instructions | |||||
|
diff --git a/postfix/main.cf b/postfix/main.cf index 3072684..279b79f 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -21,11 +21,18 @@ smtpd_tls_key_file=/etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem smtpd_use_tls=yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_exclude_ciphers = aNULL, MD5, DES, RC4, ADH, 3DES +smtpd_tls_protocols = !SSLv2 smtp_tls_cert_file=$smtpd_tls_cert_file smtp_tls_key_file=$smtpd_tls_key_file smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_ciphers = high +smtp_tls_mandatory_ciphers = high +smtp_tls_exclude_ciphers = aNULL, MD5, DES, RC4 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtp_tls_protocols = !SSLv2 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. makes sslize happy: CHECKING HOST(S) AVAILABILITY ----------------------------- lists.cacert.org:25 => 213.154.225.231:25 SCAN RESULTS FOR LISTS.CACERT.ORG:25 - 213.154.225.231:25 --------------------------------------------------------- * Deflate Compression: VULNERABLE - Server supports Deflate compression * Session Renegotiation: Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations Secure Renegotiation: OK - Supported * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * Certificate - Content: SHA1 Fingerprint: 6aae1690a21fcc1bb79371c01bbd2e14686945ea Common Name: lists.cacert.org Issuer: CA Cert Signing Authority Serial Number: 0ECAB8 Not Before: Apr 8 21:53:18 2014 GMT Not After: Apr 7 21:53:18 2016 GMT Signature Algorithm: sha512WithRSAEncryption Key Size: 4096 bit Exponent: 65537 (0x10001) X509v3 Subject Alternative Name: {'othername': ['<unsupported>', '<unsupported>', '<unsupported>'], 'DNS': ['lists.cacert.org', 'cert.lists.cacert.org', 'nocert.lists.cacert.org']} * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches "Mozilla NSS - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Microsoft - 08/2014" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Apple - OS X 10.9.4" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate "Java 6 - Update 65" CA Store: FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Certificate Chain Received: ['lists.cacert.org'] * Certificate - OCSP Stapling: NOT SUPPORTED - Server did not send back an OCSP response. * SSLV2 Cipher Suites: Server rejected all cipher suites. * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. * TLSV1_2 Cipher Suites: Preferred: ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok Accepted: ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA256 DH-1024 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-GCM-SHA384 DH-1024 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA256 - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA256 DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-GCM-SHA256 DH-1024 bits 128 bits 250 2.0.0 Ok SEED-SHA - 128 bits 250 2.0.0 Ok CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok AES128-SHA256 - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok AES128-GCM-SHA256 - 128 bits 250 2.0.0 Ok * TLSV1_1 Cipher Suites: Preferred: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok Accepted: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok SEED-SHA - 128 bits 250 2.0.0 Ok CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok * TLSV1 Cipher Suites: Preferred: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok Accepted: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok SEED-SHA - 128 bits 250 2.0.0 Ok CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok * SSLV3 Cipher Suites: Preferred: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok Accepted: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-1024 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-1024 bits 128 bits 250 2.0.0 Ok SEED-SHA - 128 bits 250 2.0.0 Ok CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok SCAN COMPLETED IN 10.47 S ------------------------- unfortunatelly SSL compression cannot be disabled for postfix 2.9.x |
|
Closed, thanks. |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-12-14 13:07 | Mathias | New Issue | |
2014-12-14 13:07 | Mathias | File Added: STARTTLS-lists.cacert.org-20141214.png | |
2014-12-14 13:07 | Mathias | Relationship added | child of 0001241 |
2014-12-23 20:25 | BenBE | Assigned To | => jandd |
2014-12-23 20:25 | BenBE | Status | new => needs work |
2014-12-23 20:25 | BenBE | Product Version | => 2014 Q4 |
2014-12-23 20:25 | BenBE | Target Version | => 2014 Q4 |
2014-12-27 11:31 | jandd | Note Added: 0005208 | |
2014-12-27 11:31 | jandd | Status | needs work => solved? |
2014-12-27 11:31 | jandd | Resolution | open => fixed |
2015-01-25 20:15 | Mathias | Note Added: 0005273 | |
2015-01-25 20:15 | Mathias | Status | solved? => closed |