Skip to content

Hardening TLS ciphers#492

Merged
tomav merged 5 commits intodocker-mailserver:masterfrom
tyranron:hardening-tls-ciphers
Jan 25, 2017
Merged

Hardening TLS ciphers#492
tomav merged 5 commits intodocker-mailserver:masterfrom
tyranron:hardening-tls-ciphers

Conversation

@tyranron
Copy link
Copy Markdown
Contributor

@tyranron tyranron commented Jan 24, 2017
edited
Loading

To follow the principle: Secure by default

Problem

Currently Dovecot does support TLS Medium Strength Cipher Suites.

$ nmap --script ssl-enum-ciphers -p 993 127.0.0.1

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-24 16:31 EET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0047s latency).
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp384r1) - C
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp384r1) - C
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp384r1) - C
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: D

Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds

Also both Postfix and Dovecot are vulnerable to Logjam attack.
Despite the fact of hard attack difficulty, the default setup is not PCI compliant:

SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)

Solution

Tune up default configuration to:

  1. Use only strong TLS ciphers.
  2. Use at least 2048 Diffie-Hellman params.

This is enough to have least strength: A and no warnings on nmap run, which makes image PCI compliant.

Notice

  • Diffie-Hellman params generation was put to Dockerfile (not start-mailserver.sh) because it's quite long operation and slows down container start.

TODO

  • nmap tests

@tyranron
Copy link
Copy Markdown
Contributor Author

tyranron commented Jan 24, 2017

Can't find normal and supported nmap Docker image of latest versions. 😢

Yet another one to impl...

@tomav
Copy link
Copy Markdown
Contributor

tomav commented Jan 24, 2017

Hi @tyranronn thanks for pointing this to us.
We need also to check that "no totally up to date" devices can still use the service.

@tyranron
Copy link
Copy Markdown
Contributor Author

tyranron commented Jan 24, 2017

@tomav yeap, that's the opposite side of such change. Better security -> less clients supported.

As for me, better security is preferable by default. I think that the security level required by PCI compliance is more than enough for default settings and will help image users a lot if they require to meet PCI compliance standards.

Only few old ciphers were removed, actually. Even more: those ciphers were not used by Postfix before change (Postfix from master has least strength: A). So, clients that use those removed ciphers can't actually use current master too.

Also, this always may be tuned up in custom configuration, if someone needs to support less strong ciphers in his installation. I'm planing to cover this theme in wiki.

@thiesschneider
Copy link
Copy Markdown

thiesschneider commented Jan 24, 2017

It would be nice to choose how much security you want to enable.
I would also prefer maximum security like @tyranron.

@tyranron tyranron changed the title [WIP] Hardening TLS ciphers Hardening TLS ciphers Jan 25, 2017
@tyranron
Copy link
Copy Markdown
Contributor Author

tyranron commented Jan 25, 2017

@tomav it's done now. Would you be so kind to review it?

As I described above: there should be no impact for image users, as removed ciphers were not used by Postfix anyway.

@tomav
Copy link
Copy Markdown
Contributor

tomav commented Jan 25, 2017

Hi @tyranron, LGTM but Travis is red.

# postfix virtual transport lmtp
docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
make: *** [fixtures] Error 1

@tyranron
Copy link
Copy Markdown
Contributor Author

tyranron commented Jan 25, 2017

@tomav it's all about races =/

@tomav
Copy link
Copy Markdown
Contributor

tomav commented Jan 25, 2017

Great!

@tomav tomav merged commit d40ae81 into docker-mailserver:master Jan 25, 2017
@tyranron tyranron deleted the hardening-tls-ciphers branch January 25, 2017 13:11
RichardFevrier pushed a commit to RichardFevrier/docker-mailserver that referenced this pull request Aug 26, 2019
@tyranron @tomav
Hardening TLS ciphers (docker-mailserver#492)
375c374 
* Hardening Dovecot TLS ciphers
* Mitigate Logjam vulnerability on Dovecot
* Mitigate Logjam vulnerability on Postfix
* Add Nmap tests of PCI compliance for Postfix and Dovecot
* Increase sleep duration on Makefile steps to avoid races
@polarathene polarathene mentioned this pull request Sep 16, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tyranron @tomav @thiesschneider