Re: [courier-users] SSL Report on Courier's TLS settings (includes answer)
On Thu 30/Mar/2017 12:58:26 +0200 Sam Varshavchik wrote: > Alessandro Vesely writes: > >> SSL/TLS compression Yes INSECURE (more info) >> [(more >> info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls] >> >> >> I note the TLS_COMPRESSION option has gone away. Are there other TLS options >> worth trying to remove compression? > > The only known issue with TLS compression is when it is also used by web > servers that also implement SPDY, and its own built-in compression. > > You have to read https://en.wikipedia.org/wiki/CRIME very carefully. Yeah, now I recall. In general, it seems one can discover any secret field transmitted within a secured connection if he can choose another part of the content. Let's hypothesize you have a smart host that you use with TLS and plaintext password. If any mail you allow me to rely goes through there, I could try and send out the dictionary while checking if the connection to your smart host achieves any compression... Hm... Can TLS compress across packets without pipelining? Ale -- signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SSL Report on Courier's TLS settings (includes answer)
Alessandro Vesely writes: SSL/TLS compression Yes INSECURE (more info) [(more info)->https://community.qualys.com/blogs/securitylabs/ 2012/09/14/crime-information-leakage-attack-against-ssltls] I note the TLS_COMPRESSION option has gone away. Are there other TLS options worth trying to remove compression? The only known issue with TLS compression is when it is also used by web servers that also implement SPDY, and its own built-in compression. You have to read https://en.wikipedia.org/wiki/CRIME very carefully. pgpg2nKsVdOi7.pgp Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SSL Report on Courier's TLS settings (includes answer)
Thank you Szépe, I tried that last week and it was bad enough to convince me to
recompile the whole lot --something I had been procrastinating for a while. It
is a Debian with OpenSSL 1.0.1t.
Testing the new code, without TLS-specific settings, I got again logged on the
/recent worst/ table as up2.tana.it (of course my certificate doesn't seem to
be valid...), but the only serious error I saw is:
SSL/TLS compression Yes INSECURE (more info)
[(more
info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls]
I note the TLS_COMPRESSION option has gone away. Are there other TLS options
worth trying to remove compression?
The other errors (red) and warnings (yellow), which I think I can safely
ignore, are:
E:IE 6 / XP No FS 1 No SNI 2 Server closed connection
E:IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert:
handshake_failure
W:Forward Secrecy With some browsers (more info)
W:Session resumption (caching) No (IDs empty)
W:HTTP status code Request failed
Did you get better results?
Ciao
Ale
--
On Thu 23/Mar/2017 21:35:44 +0100 SZÉPE Viktor wrote:
>
> Hello Courier users!
>
> Up to now I was not aware that Qualys' SSL test could be used on other
> ports than 443.
> Here is how.
>
> 1) You spin up an hourly billed VPS (like UpCloud) Probably your 443
> port is already used for production websites.
>
> 2) Enable IP forwarding
>
> echo 1 > cat /proc/sys/net/ipv4/ip_forward
>
> 3) Route all tcp/443 traffic to your Courier installation
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT
> --to-destination ${COURIER_IP}:465
>
> iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465
> -j SNAT --to-source ${TEMPORARY_VPS_IP}
>
> pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP}
>
> 4) Enter the VPS' reverse host name
>
> https://www.ssllabs.com/ssltest/
>
> Of course there will be a CN mismatch but all the rest of Qualys' fine
> report will show you all the details.
>
>
> All the best!
>
>
> SZÉPE Viktor
> https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
>
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] SSL Report on Courier's TLS settings (includes answer)
Hello Courier users!
Up to now I was not aware that Qualys' SSL test could be used on other
ports than 443.
Here is how.
1) You spin up an hourly billed VPS (like UpCloud) Probably your 443
port is already used for production websites.
2) Enable IP forwarding
echo 1 > cat /proc/sys/net/ipv4/ip_forward
3) Route all tcp/443 traffic to your Courier installation
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT
--to-destination ${COURIER_IP}:465
iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465
-j SNAT --to-source ${TEMPORARY_VPS_IP}
pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP}
4) Enter the VPS' reverse host name
https://www.ssllabs.com/ssltest/
Of course there will be a CN mismatch but all the rest of Qualys' fine
report will show you all the details.
All the best!
SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498 s...@szepe.net skype: szepe.viktor
Budapest, III. kerület
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
