Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l

[Victor Duchovni]

On Thu, Nov 26, 2009 at 04:21:29PM +0100, gmx wrote:

> Anybody on the list has practical experience - e.g. 
> 4) with MS-Outlook and
> 5) Thunderbird directly connecting to postfix or
> 6) MS-Exchange
> 7) Any of the usual gateway suspects like IronPort, Borderware, ...
> or does any of them regularly attempt TLS renegotiation?

I would be very surprised to find any SMTP client or server that
initiates a TLS re-negotiation after STARTTLS. It *should* be safe
to disable re-negotiation. This said, my life has not been entirely
without surprises.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l

[gmx]

>> 1) will 
>>   a) smtpd_tls_ask_ccert, 
>>   b) smtpd_tls_wrappermode, 
>>   c) smtpd_use_tls, 
>>   d) smtpd_enforce_tls
>> still work with the new openssl 0.9.8l
>> http://marc.info/?l=openssl-users&m=125751806022186&w=2 ?
> 2) should I upgrade the openssl on the MTA to that version?
>
> They will break if some REMOTE system wants to renegotiate TLS, using
> a protocol that is not supported by the LOCAL TLS implementation.
>
> Note that it says: "remote system wants to renegotiate". Postfix
> does not request renegotiation, as far as I know.
Anybody on the list has practical experience - e.g. 
4) with MS-Outlook and
5) Thunderbird directly connecting to postfix or
6) MS-Exchange
7) Any of the usual gateway suspects like IronPort, Borderware, ...
or does any of them regularly attempt TLS renegotiation?

Many thanks for any hints in advance

Ralf

Re: Impact of SSL renegotiation attacks on SMTP mail

[Wietse Venema]

gmx:
> In-Reply-To-Message-ID:  20091109012901.6d90f1f3...@spike.porcupine.org
> 
> Hi Wietse and Victor,
> 
> Thank you very much for your analyses
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 .
> 
> As a practitioner, the following question arises as we are in a business
> partner context as you describe in
> http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf p. 6:
> 
> 1) will 
>   a) smtpd_tls_ask_ccert, 
>   b) smtpd_tls_wrappermode, 
>   c) smtpd_use_tls, 
>   d) smtpd_enforce_tls
> still work with the new openssl 0.9.8l
> http://marc.info/?l=openssl-users&m=125751806022186&w=2 ?
> 2) should I upgrade the openssl on the MTA to that version?

They will break if some REMOTE system wants to renegotiate TLS, using
a protocol that is not supported by the LOCAL TLS implementation.

Note that it says: "remote system wants to renegotiate". Postfix
does not request renegotiation, as far as I know.

> 3) on p. 11, you say < workarounds. Some may even end up in Postfix.>> - will they still be needed
> with the new openssl that disables renegotiation altogether?

These CLIENT-SIDE workarounds detect some attacks when you are
talking to servers with vulnerable SSL implementations.

Wietse

Re: Impact of SSL renegotiation attacks on SMTP mail

[Dhiraj Chatpar]

I am not able to install this which i used to in debian.. i am now using
centos. can you please tell me how to install apt-get install
libnet-server-perl on centos?


Samuel Goldwyn
- "I'm willing to admit that I may not always be right, but I am never
wrong."

On Mon, Nov 9, 2009 at 19:00, Wietse Venema  wrote:

> Andrzej Kukuła:
> > On Mon, Nov 9, 2009 at 02:29, Wietse Venema 
> wrote:
> > > Last week there was big news about a security hole in the TLS
> > > protocol that allows a man-in-the-middle to prepend data to a
> > > fully-secure TLS session.
> >
> > Thank you both gentlemen for your hard work on this. I've got possibly
> > lame question. I assume STARTTLS is affected, but is also 'wrapper
> > mode' vulnerable to this attack? I mean the mode in which client and
> > server immediately estabilish encrypted channel, before issuing any
> > SMTP command.
>
> It was left as an exercise for the reader.
>
> - At the top of the attack diagram, delete the plaintext phase (the
>  "SMTP 220 welcome", "SMTP hello" and "SMTP starttls" command and
>  reply boxes).
>
> - Insert "SMTP 220 welcome" as the first server response after the
>  renegotiation TLS handshake.
>
> This attack works when the server's TLS engine renegotiates the
> session before it encrypts the server's "SMTP 220 welcome".
>
> In the Postfix SMTP server, wrappermode would not be affected for
> the same reason that Postfix SMTP server STARTTLS is not affected.
> Also, the same SMTP client defenses apply for detecting server
> replies that are sent too soon.
>
>Wietse
>

Re: Impact of SSL renegotiation attacks on SMTP mail

[Wietse Venema]

Andrzej Kuku??a:
> On Mon, Nov 9, 2009 at 02:29, Wietse Venema  wrote:
> > Last week there was big news about a security hole in the TLS
> > protocol that allows a man-in-the-middle to prepend data to a
> > fully-secure TLS session.
> 
> Thank you both gentlemen for your hard work on this. I've got possibly
> lame question. I assume STARTTLS is affected, but is also 'wrapper
> mode' vulnerable to this attack? I mean the mode in which client and
> server immediately estabilish encrypted channel, before issuing any
> SMTP command.

It was left as an exercise for the reader.

- At the top of the attack diagram, delete the plaintext phase (the
  "SMTP 220 welcome", "SMTP hello" and "SMTP starttls" command and
  reply boxes).

- Insert "SMTP 220 welcome" as the first server response after the
  renegotiation TLS handshake.

This attack works when the server's TLS engine renegotiates the
session before it encrypts the server's "SMTP 220 welcome".

In the Postfix SMTP server, wrappermode would not be affected for
the same reason that Postfix SMTP server STARTTLS is not affected.
Also, the same SMTP client defenses apply for detecting server
replies that are sent too soon.

Wietse

Re: Impact of SSL renegotiation attacks on SMTP mail

[Andrzej Kukuła]

On Mon, Nov 9, 2009 at 02:29, Wietse Venema  wrote:
> Last week there was big news about a security hole in the TLS
> protocol that allows a man-in-the-middle to prepend data to a
> fully-secure TLS session.

Thank you both gentlemen for your hard work on this. I've got possibly
lame question. I assume STARTTLS is affected, but is also 'wrapper
mode' vulnerable to this attack? I mean the mode in which client and
server immediately estabilish encrypted channel, before issuing any
SMTP command.

Thanks,
Andrzej Kukula