Re: [courier-users] SSL Report on Courier's TLS settings (includes answer)
On Thu 30/Mar/2017 12:58:26 +0200 Sam Varshavchik wrote: > Alessandro Vesely writes: > >> SSL/TLS compression Yes INSECURE (more info) >> [(more >> info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls] >> >> >> I note the TLS_COMPRESSION option has gone away. Are there other TLS options >> worth trying to remove compression? > > The only known issue with TLS compression is when it is also used by web > servers that also implement SPDY, and its own built-in compression. > > You have to read https://en.wikipedia.org/wiki/CRIME very carefully. Yeah, now I recall. In general, it seems one can discover any secret field transmitted within a secured connection if he can choose another part of the content. Let's hypothesize you have a smart host that you use with TLS and plaintext password. If any mail you allow me to rely goes through there, I could try and send out the dictionary while checking if the connection to your smart host achieves any compression... Hm... Can TLS compress across packets without pipelining? Ale -- signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SSL Report on Courier's TLS settings (includes answer)
Alessandro Vesely writes: SSL/TLS compression Yes INSECURE (more info) [(more info)->https://community.qualys.com/blogs/securitylabs/ 2012/09/14/crime-information-leakage-attack-against-ssltls] I note the TLS_COMPRESSION option has gone away. Are there other TLS options worth trying to remove compression? The only known issue with TLS compression is when it is also used by web servers that also implement SPDY, and its own built-in compression. You have to read https://en.wikipedia.org/wiki/CRIME very carefully. pgpg2nKsVdOi7.pgp Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SSL Report on Courier's TLS settings (includes answer)
Thank you Szépe, I tried that last week and it was bad enough to convince me to recompile the whole lot --something I had been procrastinating for a while. It is a Debian with OpenSSL 1.0.1t. Testing the new code, without TLS-specific settings, I got again logged on the /recent worst/ table as up2.tana.it (of course my certificate doesn't seem to be valid...), but the only serious error I saw is: SSL/TLS compression Yes INSECURE (more info) [(more info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls] I note the TLS_COMPRESSION option has gone away. Are there other TLS options worth trying to remove compression? The other errors (red) and warnings (yellow), which I think I can safely ignore, are: E:IE 6 / XP No FS 1 No SNI 2 Server closed connection E:IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure W:Forward Secrecy With some browsers (more info) W:Session resumption (caching) No (IDs empty) W:HTTP status code Request failed Did you get better results? Ciao Ale -- On Thu 23/Mar/2017 21:35:44 +0100 SZÉPE Viktor wrote: > > Hello Courier users! > > Up to now I was not aware that Qualys' SSL test could be used on other > ports than 443. > Here is how. > > 1) You spin up an hourly billed VPS (like UpCloud) Probably your 443 > port is already used for production websites. > > 2) Enable IP forwarding > > echo 1 > cat /proc/sys/net/ipv4/ip_forward > > 3) Route all tcp/443 traffic to your Courier installation > > iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT > --to-destination ${COURIER_IP}:465 > > iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465 > -j SNAT --to-source ${TEMPORARY_VPS_IP} > > pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP} > > 4) Enter the VPS' reverse host name > > https://www.ssllabs.com/ssltest/ > > Of course there will be a CN mismatch but all the rest of Qualys' fine > report will show you all the details. > > > All the best! > > > SZÉPE Viktor > https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md > signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] SSL Report on Courier's TLS settings (includes answer)
Hello Courier users! Up to now I was not aware that Qualys' SSL test could be used on other ports than 443. Here is how. 1) You spin up an hourly billed VPS (like UpCloud) Probably your 443 port is already used for production websites. 2) Enable IP forwarding echo 1 > cat /proc/sys/net/ipv4/ip_forward 3) Route all tcp/443 traffic to your Courier installation iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination ${COURIER_IP}:465 iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465 -j SNAT --to-source ${TEMPORARY_VPS_IP} pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP} 4) Enter the VPS' reverse host name https://www.ssllabs.com/ssltest/ Of course there will be a CN mismatch but all the rest of Qualys' fine report will show you all the details. All the best! SZÉPE Viktor https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users