dovecot - Mar 2016 - Client-initiated secure renegotiation

On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl>
wrote:
> On 09-03-16 13:14, djk wrote:
>> On 09/03/16 10:44, Florent B wrote:
>>> Hi,
>>>
>>> I don't see any SSL configuration option in Dovecot to disable
>>> "Client-initiated secure renegotiation".
>>>
>>> It is advised to disable it as it can cause DDoS (CVE-2011-1473).
>>>
>>> Is it possible to have this possibility through an SSL option or
other ?
>>>
>>> Thank you.
>>>
>>> Florent
>> ssl_protocols = !SSLv3 !SSLv2
>>
>> Is that enough?
>
> I'm afraid not. I've got SSLv2 and SSLv3 disabled and with `openssl
> s_client -connect $host:993` I still can successfully renegotiate by
> passing a single 'R'.
Are you use good ssl_cipher_list
(https://wiki.mozilla.org/Security/Server_Side_TLS)?

My config
## Service options
# 10-ssl
ssl = yes
ssl_cert = </etc/pki/tls/certs/.crt
ssl_key = </etc/pki/tls/private/.key
ssl_require_crl = no
ssl_ca = </etc/pki/tls/cert.pem
ssl_cipher_list
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_parameters_regenerate = 72h
# The !TLSv1 are OK, without TLS not work imtest (cyrus test suit)
ssl_protocols = !SSLv2 !SSLv3
# Prefer the server's order of ciphers over client's
# Only available on dovecot 2.2.6 and later::
ssl_prefer_server_ciphers = yes
# Only available on dovecot 2.2.7 and later::
ssl_dh_parameters_length = 2048

Work fine, but only testssl.sh scanner generate small warning "Secure
Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS threat"

openssl s_client -connect $host:993 -ssl2(3) and openssl s_client
-connect $host:143 -starttls imap -showcerts -state -crlf -ssl2(3)
break connection

On 10-03-16 11:21, Andrey Fesenko wrote:
> On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl>
wrote:
>> On 09-03-16 13:14, djk wrote:
>>> On 09/03/16 10:44, Florent B wrote:
>>>> Hi,
>>>>
>>>> I don't see any SSL configuration option in Dovecot to
disable
>>>> "Client-initiated secure renegotiation".
>>>>
>>>> It is advised to disable it as it can cause DDoS
(CVE-2011-1473).
>>>>
>>>> Is it possible to have this possibility through an SSL option
or other ?
>>>>
>>>> Thank you.
>>>>
>>>> Florent
>>> ssl_protocols = !SSLv3 !SSLv2
>>>
>>> Is that enough?
>> I'm afraid not. I've got SSLv2 and SSLv3 disabled and with
`openssl
>> s_client -connect $host:993` I still can successfully renegotiate by
>> passing a single 'R'.
> Are you use good ssl_cipher_list
> (https://wiki.mozilla.org/Security/Server_Side_TLS)?
>
> My config
> ## Service options
> # 10-ssl
> ssl = yes
> ssl_cert = </etc/pki/tls/certs/.crt
> ssl_key = </etc/pki/tls/private/.key
> ssl_require_crl = no
> ssl_ca = </etc/pki/tls/cert.pem
> ssl_cipher_list >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> ssl_parameters_regenerate = 72h
> # The !TLSv1 are OK, without TLS not work imtest (cyrus test suit)
> ssl_protocols = !SSLv2 !SSLv3
> # Prefer the server's order of ciphers over client's
> # Only available on dovecot 2.2.6 and later::
> ssl_prefer_server_ciphers = yes
> # Only available on dovecot 2.2.7 and later::
> ssl_dh_parameters_length = 2048
>
> Work fine, but only testssl.sh scanner generate small warning "Secure
> Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS threat"
>
> openssl s_client -connect $host:993 -ssl2(3) and openssl s_client
> -connect $host:143 -starttls imap -showcerts -state -crlf -ssl2(3)
> break connection
>
That's just the question of Florent: how to disable Secure
Client-Initiated Renegotiation.

On 10.03.2016 12:40, Osiris wrote:

<snip/>
> That's just the question of Florent: how to disable Secure 
> Client-Initiated Renegotiation. 
Hi!

There is no way to disable this in OpenSSL, and the CVE you refer to has 
been disputed. Please see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1473 and 
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html.

Without altering OpenSSL sources, secure renegotiations will take place.

---
Aki Tuomi
Dovecot Oy