View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001350 | Main CAcert Website | misc | public | 2014-12-14 12:38 | 2020-06-27 12:17 |
Reporter | Mathias | Assigned To | jandd | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | solved? | Resolution | fixed | ||
Product Version | 2014 Q4 | ||||
Target Version | 2014 Q4 | ||||
Summary | 0001350: {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs | ||||
Description | Hi! SSL/TLS issues on {community,email}.cacert.org (roundcube via HTTPS): - anonymous cipher suites enabled - SSLv3 enabled (POODLE attack) - no TLS v1.1 - no TLS v1.2 - TLS compression enabled (CRIME attack) - no secure renegotiation (RFC 5746) - no forward secrecy with reference browser provided For short: very extremely bad :-( Please see https://lists.cacert.org/wws/arc/cacert-sysadm/2014-12/msg00000.html Thanks for looking into this issue. Mathias | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Reviewed by | |||||
Test Instructions | |||||
|
did the best to improve the configuration but the possibilities are very limited because the community webmail system is still on Apache 2.2.3/Debian Etch and does not support modern TLS versions or cipher suites. At least we get a grade B at ssllabs now. |
|
Debian 4.0 Etch had received official support until 15 Feb 2010 - which is nearly five years ago! Hm, if this system isn't actually used/maintained by anybody, there might be someone to press the "big red button" for it... |
|
I just saw on https://wiki.cacert.org/SystemAdministration/Systems/Email that pressing the "red button" is not a good idea. From a today's point of view the SSL/TLS configuration is still not satisfying. But the main cause and source of problems (also the ones of this bug) is the VERY OLD system. So, I leave this bug open with stomach pains :-) However, thanks, Jan, for digging so deep in this issue. |
|
email, webmail and community get a grade A (ignoring trust issues) now. https has been tested with the ssllabs test, smtp and imap have been tested using https://github.com/drwetter/testssl.sh |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-12-14 12:38 | Mathias | New Issue | |
2014-12-14 12:38 | Mathias | File Added: SSL_Labs-email.cacert.org-grade_F-20141214.pdf | |
2014-12-14 12:39 | Mathias | Relationship added | child of 0001241 |
2014-12-23 20:23 | BenBE | Assigned To | => jandd |
2014-12-23 20:23 | BenBE | Status | new => needs work |
2014-12-23 20:23 | BenBE | Product Version | => 2014 Q4 |
2014-12-23 20:23 | BenBE | Target Version | => 2014 Q4 |
2014-12-27 11:52 | jandd | Note Added: 0005209 | |
2014-12-27 11:52 | jandd | Status | needs work => confirmed |
2015-01-25 17:42 | Mathias | File Added: SSL_Labs-email.cacert.org-grade_B-20150125.pdf | |
2015-01-25 17:53 | Mathias | Note Added: 0005268 | |
2015-01-25 18:10 | Mathias | Note Added: 0005269 | |
2015-01-25 19:48 | Mathias | Relationship added | related to 0001351 |
2020-06-27 12:17 | jandd | Status | confirmed => solved? |
2020-06-27 12:17 | jandd | Resolution | open => fixed |
2020-06-27 12:17 | jandd | Note Added: 0005888 |