On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote:> On 09-03-16 13:14, djk wrote: >> On 09/03/16 10:44, Florent B wrote: >>> Hi, >>> >>> I don't see any SSL configuration option in Dovecot to disable >>> "Client-initiated secure renegotiation". >>> >>> It is advised to disable it as it can cause DDoS (CVE-2011-1473). >>> >>> Is it possible to have this possibility through an SSL option or other ? >>> >>> Thank you. >>> >>> Florent >> ssl_protocols = !SSLv3 !SSLv2 >> >> Is that enough? > > I'm afraid not. I've got SSLv2 and SSLv3 disabled and with `openssl > s_client -connect $host:993` I still can successfully renegotiate by > passing a single 'R'.Are you use good ssl_cipher_list (https://wiki.mozilla.org/Security/Server_Side_TLS)? My config ## Service options # 10-ssl ssl = yes ssl_cert = </etc/pki/tls/certs/.crt ssl_key = </etc/pki/tls/private/.key ssl_require_crl = no ssl_ca = </etc/pki/tls/cert.pem ssl_cipher_list ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_parameters_regenerate = 72h # The !TLSv1 are OK, without TLS not work imtest (cyrus test suit) ssl_protocols = !SSLv2 !SSLv3 # Prefer the server's order of ciphers over client's # Only available on dovecot 2.2.6 and later:: ssl_prefer_server_ciphers = yes # Only available on dovecot 2.2.7 and later:: ssl_dh_parameters_length = 2048 Work fine, but only testssl.sh scanner generate small warning "Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat" openssl s_client -connect $host:993 -ssl2(3) and openssl s_client -connect $host:143 -starttls imap -showcerts -state -crlf -ssl2(3) break connection
On 10-03-16 11:21, Andrey Fesenko wrote:> On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote: >> On 09-03-16 13:14, djk wrote: >>> On 09/03/16 10:44, Florent B wrote: >>>> Hi, >>>> >>>> I don't see any SSL configuration option in Dovecot to disable >>>> "Client-initiated secure renegotiation". >>>> >>>> It is advised to disable it as it can cause DDoS (CVE-2011-1473). >>>> >>>> Is it possible to have this possibility through an SSL option or other ? >>>> >>>> Thank you. >>>> >>>> Florent >>> ssl_protocols = !SSLv3 !SSLv2 >>> >>> Is that enough? >> I'm afraid not. I've got SSLv2 and SSLv3 disabled and with `openssl >> s_client -connect $host:993` I still can successfully renegotiate by >> passing a single 'R'. > Are you use good ssl_cipher_list > (https://wiki.mozilla.org/Security/Server_Side_TLS)? > > My config > ## Service options > # 10-ssl > ssl = yes > ssl_cert = </etc/pki/tls/certs/.crt > ssl_key = </etc/pki/tls/private/.key > ssl_require_crl = no > ssl_ca = </etc/pki/tls/cert.pem > ssl_cipher_list > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > ssl_parameters_regenerate = 72h > # The !TLSv1 are OK, without TLS not work imtest (cyrus test suit) > ssl_protocols = !SSLv2 !SSLv3 > # Prefer the server's order of ciphers over client's > # Only available on dovecot 2.2.6 and later:: > ssl_prefer_server_ciphers = yes > # Only available on dovecot 2.2.7 and later:: > ssl_dh_parameters_length = 2048 > > Work fine, but only testssl.sh scanner generate small warning "Secure > Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat" > > openssl s_client -connect $host:993 -ssl2(3) and openssl s_client > -connect $host:143 -starttls imap -showcerts -state -crlf -ssl2(3) > break connection >That's just the question of Florent: how to disable Secure Client-Initiated Renegotiation.
On 10.03.2016 12:40, Osiris wrote: <snip/>> That's just the question of Florent: how to disable Secure > Client-Initiated Renegotiation.Hi! There is no way to disable this in OpenSSL, and the CVE you refer to has been disputed. Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1473 and https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html. Without altering OpenSSL sources, secure renegotiations will take place. --- Aki Tuomi Dovecot Oy