On 04/27/2016 07:50 PM, Alice Wonder wrote:> On 04/27/2016 12:41 AM, Alice Wonder wrote: >> On 04/27/2016 12:30 AM, James Hogarth wrote: >> *snip* >>> >>> Unless you have a very specific requirement for a very bleeding edge >>> feature it's fundamentally a terrible idea to move away from the >>> distribution packages in something as exposed as a webserver ... >> >> I use to believe that. >> >> However I no longer. >> >> First of all, advancements in TLS happen too quickly. >> >> The RHEL philosophy of keeping API stability for as long as the release >> is supported means you end up running old protocols and old cipher >> suites and don't have the new protocols and cipher suites available. >> >> That's a problem. >> >> With respect to Apache and PHP - >> >> There is a lot of benefit to HTTP/2 but you can't get that with the >> stock Apache in RHEL / CentOS 7. You just can't. >> >> The PHP in stock RHEL / CentOS is so old that web application developers >> largely are not even using it anymore, resulting in some web >> applications that just simply don't work unless you update the PHP to >> something more modern. >> >> It's a nice idealistic philosophy to want to keep the same versions and >> backport security fixes and keep everything API compatible but in real >> world practice, it makes your server stale. > > Another example outside of LAMP > > Postfix - > > The postfix that ships with CentOS 7 does not have the ability to > enforce DANE. > > If you are not sure what that is - > > On mt DNS server, I can (and do) post a fingerprint of the TLS keys > used by my smtp server. > > When other mail servers want to send an e-mail to my server, they can > do a DNS query and if I have a DANE record, then they can require that > that the TLS connection they make to my SMTP server uses a certificate > with a fingerprint that matches. > > That is the only reliable way to avoid MITM with SMTP. > > It's easy to set up in postfix - > > smtp_dns_support_level = dnssec > smtp_host_lookup = dns >Sounds good, but how many domain MX servers have set up these fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it uses it if available. So even if you do post it on your DNS, how many clients out there are using DANE on their set up? By the time it becomes more than a tiny % and generally useful, it will be in CentOS 8. It also requires certificates to be implemented more ubiquitously than at present - although we do now have affordable solutions, so this one may resolve more quickly.> But with the postfix that comes with CentOS 7 - it is too old for > that, so Postfix with CentOS 7 will never even try to verify the TLS > certificate of the servers it connects to. > > It's a stale version of postfix and people running postfix on CentOS 7 > should use a newer version. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen <rkampen at kampensonline.com> wrote:> Sounds good, but how many domain MX servers have set up these fingerprint > keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it > uses it if available. So even if you do post it on your DNS, how many > clients out there are using DANE on their set up? By the time it becomes > more than a tiny % and generally useful, it will be in CentOS 8. It also > requires certificates to be implemented more ubiquitously than at present - > although we do now have affordable solutions, so this one may resolve more > quickly.I hope my prior comments weren't too off topic but a lot of people don't seem to understand the purpose for an enterprise distribution. DANE is a perfect example of this. Go poll the SMTP servers for any company on the S&P 500 and I can almost guarantee that 99.9% of them will not have TLSA records for DANE. It's a new/emerging technology. The same is true with DNSSEC (which is actually quite old). Enterprises are typically behind in the technology they adopt. Stability and reliability are paramount. This is where RHEL and CentOS come in. I know of a few companies listed on the S&P 500 who still have SSLv3 turned on to allow customers with old versions of Internet Explorer on Windows XP to connect. You can't simply assume everyone is using the latest technology. This is the reason IBM loves System z. Brandon Vincent
On 04/27/2016 01:21 AM, Brandon Vincent wrote:> On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen <rkampen at kampensonline.com> wrote: >> Sounds good, but how many domain MX servers have set up these fingerprint >> keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it >> uses it if available. So even if you do post it on your DNS, how many >> clients out there are using DANE on their set up? By the time it becomes >> more than a tiny % and generally useful, it will be in CentOS 8. It also >> requires certificates to be implemented more ubiquitously than at present - >> although we do now have affordable solutions, so this one may resolve more >> quickly. > > I hope my prior comments weren't too off topic but a lot of people > don't seem to understand the purpose for an enterprise distribution. > > DANE is a perfect example of this. Go poll the SMTP servers for any > company on the S&P 500 and I can almost guarantee that 99.9% of them > will not have TLSA records for DANE. It's a new/emerging technology. > The same is true with DNSSEC (which is actually quite old).Last poll I saw, 2% of the top 500 did in fact have DNSSEC. TLSA is just a record like any other DNS record, it is just meaningless without DNSSEC.> > Enterprises are typically behind in the technology they adopt. > Stability and reliability are paramount. This is where RHEL and CentOS > come in.Stability though should not come at the cost of halting progress. Security and Privacy on the Internet are both severely broken. If you read the white papers from when the Internet was first being designed, security was rarely even mentioned. Look at how many "secure" web servers still use SSLv2 and SSLv3 - this is because the "stable" Enterprise UNIX distributions were slow to progress. DNS is a severely insecure system, and so is SMTP. Hell - security of SMTP is so sloppy that quite often, the TLS certificate doesn't even match the hostname. Cipher suites that we know to be insecure are often still supported by mail servers because they take the flawed attitude that weak ciphers are better than plain and the opportunistic nature of SMTP allows for plain. It was that same mindset that resulted in a lot of mail servers supporting SSLv2 resulting in capture of the private key in DROWN attack. When it comes to security, we can't be stale. We have to progress because what we currently have is not good enough. We need to embrace DNSSEC and we need to promote DNSSEC. Trust is easy to exploit, DNSSEC provides a means to verify so that trust is not needed. Using "enterprise" as an excuse to not move forward with security progress is just plain foolish. Enterprise or not, DNSSEC should be a top priority to deploy in your DNS zone. Enterprise or not, if you run a mail server, you really need to publish an accurate TLSA record for TCP port 25 of your MX mail servers. Enterprise or not, your mail servers should look for a TLSA record on port 25 of the receiving server, and if found, only connect to that server if the connection is secure and the TLS certificate matches the TLSA record. The Internet is broken security-wise, and a big part of the solution is available now and free to deploy. If that means upgrading software in an "Enterprise" distribution, then that's what you do. It's called taking responsibility for the security and privacy of your users. It's called using intelligence. It's called doing the job right.