[Dovecot] force ciphers order for clients
Hi Timo,
reading this
http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/
it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use with apple mail
( if no ECDHE is possible ,by missing openssl 1.x etc, seems that apple mail tries ECDHE first if fails its going to use RSA-AES128-SHA )
force soltution as tried
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4
so far so good , it worked nice with recent thunderbird too but it fails with outlook 2003 pop3s / win7
so i thought about using an order like this
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
does that makes sense ? ( using dove 2.1.x / openssl 0.9x )
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 14.08.2013 18:54, schrieb Robert Schetterer:
http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/
it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use with apple mail
( if no ECDHE is possible ,by missing openssl 1.x etc, seems that apple mail tries ECDHE first if fails its going to use RSA-AES128-SHA )
force soltution as tried
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4
so far so good , it worked nice with recent thunderbird too but it fails with outlook 2003 pop3s / win7
so i thought about using an order like this
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently there exists even no way to force web-browsers to FS without open BEAST-attack and i doubt in context mail it does not look much better
however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Am 14.08.2013 19:03, schrieb Reindl Harald:
Am 14.08.2013 18:54, schrieb Robert Schetterer:
http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/
it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use with apple mail
( if no ECDHE is possible ,by missing openssl 1.x etc, seems that apple mail tries ECDHE first if fails its going to use RSA-AES128-SHA )
force soltution as tried
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4
so far so good , it worked nice with recent thunderbird too but it fails with outlook 2003 pop3s / win7
so i thought about using an order like this
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently
hm ,do you have the exact url for test results with mail clients ?
there exists even no way to force web-browsers to FS without open BEAST-attack and i doubt in context mail it does not look much better
however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yet
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 14.08.2013 20:42, schrieb Robert Schetterer:
Am 14.08.2013 19:03, schrieb Reindl Harald:
ssl_cipher_list = EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently
hm ,do you have the exact url for test results with mail clients ?
no, sadly i can only refer to https://www.ssllabs.com/ssltest/ and assume that TSL in context mail is not much different, what would be cool is a compareable test-site because the handshake-examples which client is using which ciphers in comination with your current config from ssllabs is wonderful
if someone konws such a tool for mailservers post it here and on the postfix list with uppercase letters in the subject
there exists even no way to force web-browsers to FS without open BEAST-attack and i doubt in context mail it does not look much better
however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yeter
so you can practically forget it
before openssl 1.0.1 TLS 1.2 does not work confirmed by our upgrade to Fedora 18 all services now support TLS 1.2, with Fedora 17 and openssl 1.0 no way
and for dovecot the releae enote for 2.2.5 is pretty clear "SSL: Added support for ECDH/ECDHE cipher suite"
-------- Original-Nachricht -------- Betreff: [Dovecot-news] v2.2.5 released Datum: Mon, 5 Aug 2013 23:03:38 +0300 Von: Timo Sirainen tss@iki.fi Antwort an: dovecot@dovecot.org An: dovecot-news@dovecot.org dovecot-news@dovecot.org, dovecot@dovecot.org List dovecot@dovecot.org
http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig
So, I'm back from the first vacation I've had in about 10 years. (Well, maybe there were a few short ones.) I was planning on coding it the whole time, but looks like I didn't manage to get anything at all done. Maybe that's a good vacation?.. Anyway, I've still a few more pending things to look into, but it's been too long since v2.2.4 so here are the fixes so far.
+ SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks)
+ Added some missing man pages (by Pascal Volk)
+ quota-status: Added quota_status_toolarge setting (by Ulrich Zehl)
- director: Users near expiration could have been redirected to
different servers at the same time.
- pop3: Avoid assert-crash if client disconnects during LIST.
- mdbox: Corrupted index header still wasn't automatically fixed.
- dsync: Various fixes to work better with imapc and pop3c storages.
- ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl
symbols conflicted with Cyrus SASL library.
- imap: Various error handling fixes to CATENATE. (Found using
Apple's stress test script.)
Am 14.08.2013 20:54, schrieb Reindl Harald:
Am 14.08.2013 20:42, schrieb Robert Schetterer:
Am 14.08.2013 19:03, schrieb Reindl Harald:
ssl_cipher_list = EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently
hm ,do you have the exact url for test results with mail clients ?
no, sadly i can only refer to https://www.ssllabs.com/ssltest/ and assume that TSL in context mail is not much different, what would be cool is a compareable test-site because the handshake-examples which client is using which ciphers in comination with your current config from ssllabs is wonderful
so if there is no proofed real world test client validation much support may come up with older clients
if someone konws such a tool for mailservers post it here and on the postfix list with uppercase letters in the subject
there exists even no way to force web-browsers to FS without open BEAST-attack and i doubt in context mail it does not look much better
however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yeter
so you can practically forget it
perhaps true forever, as long old clients are around, cause the server can only workaround them
before openssl 1.0.1 TLS 1.2 does not work confirmed by our upgrade to Fedora 18 all services now support TLS 1.2, with Fedora 17 and openssl 1.0 no way
and for dovecot the releae enote for 2.2.5 is pretty clear "SSL: Added support for ECDH/ECDHE cipher suite"
i only goal to force Forward Secrecy
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA should be enough for that and are working with 0.9x openssl, true ECDH/ECDHE is much better
question was if
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
does make sense , to prime the anounce of DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA before other cipers and with default restrictions
-------- Original-Nachricht -------- Betreff: [Dovecot-news] v2.2.5 released Datum: Mon, 5 Aug 2013 23:03:38 +0300 Von: Timo Sirainen tss@iki.fi Antwort an: dovecot@dovecot.org An: dovecot-news@dovecot.org dovecot-news@dovecot.org, dovecot@dovecot.org List dovecot@dovecot.org
http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig
So, I'm back from the first vacation I've had in about 10 years. (Well, maybe there were a few short ones.) I was planning on coding it the whole time, but looks like I didn't manage to get anything at all done. Maybe that's a good vacation?.. Anyway, I've still a few more pending things to look into, but it's been too long since v2.2.4 so here are the fixes so far.
+ SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks) + Added some missing man pages (by Pascal Volk) + quota-status: Added quota_status_toolarge setting (by Ulrich Zehl) - director: Users near expiration could have been redirected to different servers at the same time. - pop3: Avoid assert-crash if client disconnects during LIST. - mdbox: Corrupted index header still wasn't automatically fixed. - dsync: Various fixes to work better with imapc and pop3c storages. - ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl symbols conflicted with Cyrus SASL library. - imap: Various error handling fixes to CATENATE. (Found using Apple's stress test script.)
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 14.08.2013 21:19, schrieb Robert Schetterer:
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yeter
so you can practically forget it
perhaps true forever, as long old clients are around, cause the server can only workaround them
not absolutely
playing around with the setings below and https://www.ssllabs.com/ssltest/ turned out that the order is what counts, and that is really tricky
i played around 5 hours with this absoluetly crap
adding !MEDIUM results in open from CRIME or BEAST attack because some clients chosse a vulerable cipher, but it would raise up the overall points of the test BUT at the same time perfect forward secrecry for most clients while with settings below only for Apple iOS/Safari
without the -SHA1 also vulernable for one of the new attacks sorry, i refused to notice what and tried ot achive best possible encryption while not fall back to classification B what is important for security audits
BEAST attack is unlikely in context mail
IMHO this is all bullshit currently *but* if recent clients start to act smarter they can choose the best possible cipher offered from the server and after that you have your copmpatibility net for old clients - currently this all is a tragedy, but having PRISM/NSA and the latest news about in mind most likely recent clients will be able to choose a "perfect forward secrecy" capable cipher if offered by the server independent of weaker ones
the real problem in your case will most likely be that most of the shiny new things in this area will require recent openssl and TLS1.2 (sadly not supproted by Mozilla/NSS for now)
SSLProtocol All -SSLv2 -SSLv3 SSLCompression Off SSLInsecureRenegotiation Off SSLHonorCipherOrder On SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5
Am 14.08.2013 21:30, schrieb Reindl Harald:
Am 14.08.2013 21:19, schrieb Robert Schetterer:
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yeter
so you can practically forget it
perhaps true forever, as long old clients are around, cause the server can only workaround them
not absolutely
playing around with the setings below and https://www.ssllabs.com/ssltest/ turned out that the order is what counts, and that is really tricky
i played around 5 hours with this absoluetly crap
that sounds good, so you allready did many real world tests
adding !MEDIUM results in open from CRIME or BEAST attack because some clients chosse a vulerable cipher, but it would raise up the overall points of the test BUT at the same time perfect forward secrecry for most clients while with settings below only for Apple iOS/Safari
without the -SHA1 also vulernable for one of the new attacks sorry, i refused to notice what and tried ot achive best possible encryption while not fall back to classification B what is important for security audits
BEAST attack is unlikely in context mail
IMHO this is all bullshit currently *but* if recent clients start to act smarter they can choose the best possible cipher offered from the server and after that you have your copmpatibility net for old clients - currently this all is a tragedy, but having PRISM/NSA and the latest news about in mind most likely recent clients will be able to choose a "perfect forward secrecy" capable cipher if offered by the server independent of weaker ones
the real problem in your case will most likely be that most of the shiny new things in this area will require recent openssl and TLS1.2 (sadly not supproted by Mozilla/NSS for now)
i will upgrade openssl and whole setup as soon as possible, meanwhile looking for best working tmp solution
SSLProtocol All -SSLv2 -SSLv3 SSLCompression Off SSLInsecureRenegotiation Off SSLHonorCipherOrder On SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5
i have a testing setup with newer openssl/dove i will try your settings with a few clients there, but that will take time going on vacation soon
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
I would like to contribute this suggestion (assuming nobody has already) :
ssl_cipher_list = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!PSK:@STRENGTH
I have not tested it incredibly thoroughly, but I do believe the @STRENGTH at the end is the little secret that puts the order into the chaos.
participants (3)
-
Nigel Smith
-
Reindl Harald
-
Robert Schetterer