Quantcast

SSL Report on Courier's TLS settings (includes answer)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL Report on Courier's TLS settings (includes answer)

Szépe Viktor

Hello Courier users!

Up to now I was not aware that Qualys' SSL test could be used on other  
ports than 443.
Here is how.

1) You spin up an hourly billed VPS (like UpCloud) Probably your 443  
port is already used for production websites.

2) Enable IP forwarding

echo 1 > cat /proc/sys/net/ipv4/ip_forward

3) Route all tcp/443 traffic to your Courier installation

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT  
--to-destination ${COURIER_IP}:465

iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465  
-j SNAT --to-source ${TEMPORARY_VPS_IP}

pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP}

4) Enter the VPS' reverse host name

https://www.ssllabs.com/ssltest/

Of course there will be a CN mismatch but all the rest of Qualys' fine  
report will show you all the details.


All the best!


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Report on Courier's TLS settings (includes answer)

Alessandro Vesely
Thank you Szépe, I tried that last week and it was bad enough to convince me to recompile the whole lot --something I had been procrastinating for a while.  It is a Debian with OpenSSL 1.0.1t.

Testing the new code, without TLS-specific settings, I got again logged on the /recent worst/ table as up2.tana.it (of course my certificate doesn't seem to be valid...), but the only serious error I saw is:

SSL/TLS compression Yes   INSECURE (more info)
[(more info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls]

I note the TLS_COMPRESSION option has gone away.  Are there other TLS options worth trying to remove compression?


The other errors (red) and warnings (yellow), which I think I can safely ignore, are:
E:IE 6 / XP   No FS 1  No SNI 2 Server closed connection
E:IE 8 / XP   No FS 1  No SNI 2 Server sent fatal alert: handshake_failure
W:Forward Secrecy With some browsers (more info)
W:Session resumption (caching) No (IDs empty)
W:HTTP status code Request failed

Did you get better results?

Ciao
Ale
--

On Thu 23/Mar/2017 21:35:44 +0100 SZÉPE Viktor wrote:

>
> Hello Courier users!
>
> Up to now I was not aware that Qualys' SSL test could be used on other  
> ports than 443.
> Here is how.
>
> 1) You spin up an hourly billed VPS (like UpCloud) Probably your 443  
> port is already used for production websites.
>
> 2) Enable IP forwarding
>
> echo 1 > cat /proc/sys/net/ipv4/ip_forward
>
> 3) Route all tcp/443 traffic to your Courier installation
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT  
> --to-destination ${COURIER_IP}:465
>
> iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465  
> -j SNAT --to-source ${TEMPORARY_VPS_IP}
>
> pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP}
>
> 4) Enter the VPS' reverse host name
>
> https://www.ssllabs.com/ssltest/
>
> Of course there will be a CN mismatch but all the rest of Qualys' fine  
> report will show you all the details.
>
>
> All the best!
>
>
> SZÉPE Viktor
> https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Report on Courier's TLS settings (includes answer)

Sam Varshavchik
Alessandro Vesely writes:

> SSL/TLS compression Yes   INSECURE (more info)
> [(more info)->https://community.qualys.com/blogs/securitylabs/ 
> 2012/09/14/crime-information-leakage-attack-against-ssltls]
>
> I note the TLS_COMPRESSION option has gone away.  Are there other TLS  
> options worth trying to remove compression?

The only known issue with TLS compression is when it is also used by web  
servers that also implement SPDY, and its own built-in compression.

You have to read https://en.wikipedia.org/wiki/CRIME very carefully.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Report on Courier's TLS settings (includes answer)

Alessandro Vesely
On Thu 30/Mar/2017 12:58:26 +0200 Sam Varshavchik wrote:

> Alessandro Vesely writes:
>
>> SSL/TLS compression     Yes   INSECURE (more info)
>> [(more
>> info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls]
>>
>>
>> I note the TLS_COMPRESSION option has gone away.  Are there other TLS options
>> worth trying to remove compression?
>
> The only known issue with TLS compression is when it is also used by web
> servers that also implement SPDY, and its own built-in compression.
>
> You have to read https://en.wikipedia.org/wiki/CRIME very carefully.
Yeah, now I recall.  In general, it seems one can discover any secret field
transmitted within a secured connection if he can choose another part of the
content.  Let's hypothesize you have a smart host that you use with TLS and
plaintext password.  If any mail you allow me to rely goes through there, I
could try and send out the dictionary while checking if the connection to your
smart host achieves any compression... Hm... Can TLS compress across packets
without pipelining?

Ale
--

















------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Report on Courier's TLS settings (includes answer)

Szépe Viktor
In reply to this post by Alessandro Vesely
No.

You may also try https://tls.imirhil.fr


--
+36204242498
Ezen a készüléken sok az elütés.
Elnézést!

On March 30, 2017 12:37:24 PM CEST, Alessandro Vesely <[hidden email]> wrote:
Thank you Szépe, I tried that last week and it was bad enough to convince me to recompile the whole lot --something I had been procrastinating for a while.  It is a Debian with OpenSSL 1.0.1t.

Testing the new code, without TLS-specific settings, I got again logged on the /recent worst/ table as up2.tana.it (of course my certificate doesn't seem to be valid...), but the only serious error I saw is:

SSL/TLS compression Yes INSECURE (more info)
[(more info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls]

I note the TLS_COMPRESSION option has gone away. Are there other TLS options worth trying to remove compression?


The other errors (red) and warnings (yellow), which I think I can safely ignore, are:
E:IE 6 / XP No FS 1 No SNI 2 Server closed connection
E:IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure
W:Forward Secrecy With some browsers (more info)
W:Session resumption (caching) No (IDs empty)
W:HTTP status code Request failed

Did you get better results?

Ciao
Ale

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Loading...