Re: Impact of SSL renegotiation attacks on SMTP mail
gmx: In-Reply-To-Message-ID: 20091109012901.6d90f1f3...@spike.porcupine.org Hi Wietse and Victor, Thank you very much for your analyses http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 . As a practitioner, the following question arises as we are in a business partner context as you describe in http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf p. 6: 1) will a) smtpd_tls_ask_ccert, b) smtpd_tls_wrappermode, c) smtpd_use_tls, d) smtpd_enforce_tls still work with the new openssl 0.9.8l http://marc.info/?l=openssl-usersm=125751806022186w=2 ? 2) should I upgrade the openssl on the MTA to that version? They will break if some REMOTE system wants to renegotiate TLS, using a protocol that is not supported by the LOCAL TLS implementation. Note that it says: remote system wants to renegotiate. Postfix does not request renegotiation, as far as I know. 3) on p. 11, you say Wietse and Victor concocted detection mechanisms and workarounds. Some may even end up in Postfix. - will they still be needed with the new openssl that disables renegotiation altogether? These CLIENT-SIDE workarounds detect some attacks when you are talking to servers with vulnerable SSL implementations. Wietse
Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l
1) will a) smtpd_tls_ask_ccert, b) smtpd_tls_wrappermode, c) smtpd_use_tls, d) smtpd_enforce_tls still work with the new openssl 0.9.8l http://marc.info/?l=openssl-usersm=125751806022186w=2 ? 2) should I upgrade the openssl on the MTA to that version? They will break if some REMOTE system wants to renegotiate TLS, using a protocol that is not supported by the LOCAL TLS implementation. Note that it says: remote system wants to renegotiate. Postfix does not request renegotiation, as far as I know. Anybody on the list has practical experience - e.g. 4) with MS-Outlook and 5) Thunderbird directly connecting to postfix or 6) MS-Exchange 7) Any of the usual gateway suspects like IronPort, Borderware, ... or does any of them regularly attempt TLS renegotiation? Many thanks for any hints in advance Ralf
Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l
On Thu, Nov 26, 2009 at 04:21:29PM +0100, gmx wrote: Anybody on the list has practical experience - e.g. 4) with MS-Outlook and 5) Thunderbird directly connecting to postfix or 6) MS-Exchange 7) Any of the usual gateway suspects like IronPort, Borderware, ... or does any of them regularly attempt TLS renegotiation? I would be very surprised to find any SMTP client or server that initiates a TLS re-negotiation after STARTTLS. It *should* be safe to disable re-negotiation. This said, my life has not been entirely without surprises. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Impact of SSL renegotiation attacks on SMTP mail
On Mon, Nov 9, 2009 at 02:29, Wietse Venema wie...@porcupine.org wrote: Last week there was big news about a security hole in the TLS protocol that allows a man-in-the-middle to prepend data to a fully-secure TLS session. Thank you both gentlemen for your hard work on this. I've got possibly lame question. I assume STARTTLS is affected, but is also 'wrapper mode' vulnerable to this attack? I mean the mode in which client and server immediately estabilish encrypted channel, before issuing any SMTP command. Thanks, Andrzej Kukula
Re: Impact of SSL renegotiation attacks on SMTP mail
Andrzej Kuku??a: On Mon, Nov 9, 2009 at 02:29, Wietse Venema wie...@porcupine.org wrote: Last week there was big news about a security hole in the TLS protocol that allows a man-in-the-middle to prepend data to a fully-secure TLS session. Thank you both gentlemen for your hard work on this. I've got possibly lame question. I assume STARTTLS is affected, but is also 'wrapper mode' vulnerable to this attack? I mean the mode in which client and server immediately estabilish encrypted channel, before issuing any SMTP command. It was left as an exercise for the reader. - At the top of the attack diagram, delete the plaintext phase (the SMTP 220 welcome, SMTP hello and SMTP starttls command and reply boxes). - Insert SMTP 220 welcome as the first server response after the renegotiation TLS handshake. This attack works when the server's TLS engine renegotiates the session before it encrypts the server's SMTP 220 welcome. In the Postfix SMTP server, wrappermode would not be affected for the same reason that Postfix SMTP server STARTTLS is not affected. Also, the same SMTP client defenses apply for detecting server replies that are sent too soon. Wietse
Re: Impact of SSL renegotiation attacks on SMTP mail
I am not able to install this which i used to in debian.. i am now using centos. can you please tell me how to install apt-get install libnet-server-perl on centos? Samuel Goldwynhttp://www.brainyquote.com/quotes/authors/s/samuel_goldwyn.html - I'm willing to admit that I may not always be right, but I am never wrong. On Mon, Nov 9, 2009 at 19:00, Wietse Venema wie...@porcupine.org wrote: Andrzej Kukuła: On Mon, Nov 9, 2009 at 02:29, Wietse Venema wie...@porcupine.org wrote: Last week there was big news about a security hole in the TLS protocol that allows a man-in-the-middle to prepend data to a fully-secure TLS session. Thank you both gentlemen for your hard work on this. I've got possibly lame question. I assume STARTTLS is affected, but is also 'wrapper mode' vulnerable to this attack? I mean the mode in which client and server immediately estabilish encrypted channel, before issuing any SMTP command. It was left as an exercise for the reader. - At the top of the attack diagram, delete the plaintext phase (the SMTP 220 welcome, SMTP hello and SMTP starttls command and reply boxes). - Insert SMTP 220 welcome as the first server response after the renegotiation TLS handshake. This attack works when the server's TLS engine renegotiates the session before it encrypts the server's SMTP 220 welcome. In the Postfix SMTP server, wrappermode would not be affected for the same reason that Postfix SMTP server STARTTLS is not affected. Also, the same SMTP client defenses apply for detecting server replies that are sent too soon. Wietse
Impact of SSL renegotiation attacks on SMTP mail
Last week there was big news about a security hole in the TLS protocol that allows a man-in-the-middle to prepend data to a fully-secure TLS session. That is, the server certificate verifies, and therefore no-one can read or modify the network traffic. Or so we thought. http://www.ietf.org/mail-archive/web/tls/current/msg03928.html http://www.ietf.org/mail-archive/web/tls/current/msg03942.html This hole was already known and a consortium of industry partners was already working on solutions. Meanwhile, a draft proposal has been published for a TLS protocol change. While looking at the possible impact for SMTP mail, I came up with an attack that redirects and modifies SMTP mail that is sent over a fully-secure TLS connection; Victor came up with an attack that changes the first command in a TLS session. You can find a preliminary analysis at: http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf It comes with a little tutorial on SMTP over TLS, and on TLS renegotiation attacks. The impact of all this should not be over-stated. Presently, most SMTP clients don't verify the TLS certificates of SMTP servers. Such clients are already vulnerable to ordinary man-in-the-middle attacks, and TLS renegotiation introduces no new threats for them. The Postfix SMTP server with OpenSSL is not affected by the TLS renegotiation attack that redirects and modifies SMTP mail, due to accidental details of the Postfix and OpenSSL implementations. Other SMTP server implementations may be affected (my report describes some of the requirements). There may of course be other attacks that I wasn't aware of when I wrote the analysis. Most SMTP client implementations will not detect that a TLS renegotiation attack has happened, including the Postfix SMTP client. Victor and I have looked into a number of workarounds that can be implemented in the SMTP client, pending a bugfix in the TLS protocol and in TLS implementations. Some of these workarounds may end up in Postfix. Wietse
