Re: Strech verweigert E-Mails

To: debian-user-german@lists.debian.org
Subject: Re: Strech verweigert E-Mails
From: Siegfrid Brandstätter <debian@o-h-z.de>
Date: Tue, 11 Jul 2017 14:03:03 +0100
Message-id: <[🔎] c22b4464-5341-a097-813d-3475a084fc2a@o-h-z.de>
In-reply-to: <[🔎] 2c6d7677-f343-4bae-14f8-34a513e94897@o-h-z.de>
References: <[🔎] 20170710173405.1470.qmail@mail.vege.net> <[🔎] 20170711084538.tnkngn3u3sg3roua@jumper.schlittermann.de> <[🔎] 53f299eb-c49e-cf2e-6e7f-d04fed533683@o-h-z.de> <[🔎] 2aef9293-d135-612a-d577-8154799c4795@chemie.uni-hamburg.de> <[🔎] d5074d8b-3ed9-1e30-b461-ce5f3a3c5502@o-h-z.de> <[🔎] 4a21b7aa-f4ec-d4b9-2a67-efa60d76a6d0@gmx.net> <[🔎] 20170711100558.3requrkf7gdxer3l@jumper.schlittermann.de> <[🔎] 20170711101605.4ejiwhzunbwl2h3b@jumper.schlittermann.de> <[🔎] 0dl52nmotf0v8@mids.svenhartge.de> <[🔎] 2c6d7677-f343-4bae-14f8-34a513e94897@o-h-z.de>

Am 11.07.2017 um 13:18 schrieb Siegfrid Brandstätter:

Am 11.07.2017 um 12:52 schrieb Sven Hartge:
Prüfung via testssl.sh:

,----
|  Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
|
| SSLv2 offered (NOT ok), also VULNERABLE to DROWNattack -- 7 ciphers
|  SSLv3               offered (NOT ok)
|  TLS 1               offered
|  TLS 1.1             not offered
|  TLS 1.2             not offered
|  Version tolerance   downgraded to TLSv1.0 (OK)
`----

Autsch.

,----
|  Testing server preferences
|
|  Has server cipher order?     nope (NOT ok)
|  Negotiated protocol          TLSv1
| Negotiated cipher RC4-SHA (limited sense as client willpick)
|  Negotiated cipher per proto  (limited sense as client will pick)
|      RC2-CBC-MD5:                   SSLv2
|      RC4-SHA:                       SSLv3, TLSv1
| No further cipher order check has been done as order is determinedby the client
`----

Oh Gott.
  ,----
|  Testing vulnerabilities
|
| Heartbleed (CVE-2014-0160) not vulnerable (OK), noheartbeat extension
|  CCS (CVE-2014-0224)                       VULNERABLE (NOT ok)
|  Secure Renegotiation (CVE-2009-3555)      VULNERABLE (NOT ok)
| Secure Client-Initiated Renegotiation VULNERABLE (NOT ok),potential DoS threat| CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (notusing HTTP anyway)| POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok),uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)| TLS_FALLBACK_SCSV (RFC 7507), Downgrade attackprevention NOT supported| FREAK (CVE-2015-0204) VULNERABLE (NOT ok),uses EXPORT RSA ciphers| DROWN (2016-0800, CVE-2016-0703) VULNERABLE (NOT ok),SSLv2 offered with 7 ciphers| LOGJAM (CVE-2015-4000), experimental not vulnerable (OK),common primes not checked. See below for any DH ciphers + bit size| BEAST (CVE-2011-3389) SSL3: DES-CBC-SHADES-CBC3-SHA
| EXP1024-DES-CBC-SHA
| TLS1: DES-CBC-SHADES-CBC3-SHA
| EXP1024-DES-CBC-SHA
| VULNERABLE -- and nohigher protocols as mitigation supported| RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok):RC4-SHA RC4-MD5 RC4-MD5 RC4-64-MD5 EXP1024-RC4-SHA EXP-RC4-MD5
`----

Himmel.

,----
| Testing all 183 locally available ciphers against the server,ordered by encryption strength
|
| Hexcode Cipher Suite Name (OpenSSL) KeyExch. EncryptionBits Cipher Suite Name (RFC)|---------------------------------------------------------------------------------------------------------------------------| x030080 RC2-CBC-MD5 RSA RC2 128SSL_CK_RC2_128_CBC_WITH_MD5| x05 RC4-SHA RSA RC4 128TLS_RSA_WITH_RC4_128_SHA| x04 RC4-MD5 RSA RC4 128TLS_RSA_WITH_RC4_128_MD5| x010080 RC4-MD5 RSA RC4 128SSL_CK_RC4_128_WITH_MD5| x0a DES-CBC3-SHA RSA 3DES 168TLS_RSA_WITH_3DES_EDE_CBC_SHA| x0700c0 DES-CBC3-MD5 RSA 3DES 168SSL_CK_DES_192_EDE3_CBC_WITH_MD5| x080080 RC4-64-MD5 RSA RC4 64SSL_CK_RC4_64_WITH_MD5| x62 EXP1024-DES-CBC-SHA RSA(1024) DES56,exp TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA| x09 DES-CBC-SHA RSA DES 56TLS_RSA_WITH_DES_CBC_SHA| x61 EXP1024-RC2-CBC-MD5 RSA(1024) RC256,exp TLS_RSA_EXPORT1024_WITH_RC2_56_MD5| x060040 DES-CBC-MD5 RSA DES 56SSL_CK_DES_64_CBC_WITH_MD5| x64 EXP1024-RC4-SHA RSA(1024) RC456,exp TLS_RSA_EXPORT1024_WITH_RC4_56_SHA| x60 EXP1024-RC4-MD5 RSA(1024) RC456,exp TLS_RSA_EXPORT1024_WITH_RC4_56_MD5| x040080 EXP-RC2-CBC-MD5 RSA(512) RC240,exp SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5| x020080 EXP-RC4-MD5 RSA(512) RC440,exp SSL_CK_RC4_128_EXPORT40_WITH_MD5
`----

Lediglich "DES-CBC3-SHA" ist halbwegs modern (aber eigentlich auch schon
Jahre veraltet), der Rest ist schon fast mit einem RasPi3 in 2 Stunden
knackbar.
Ich habe denen jetzt mal eine E-Mail gesendet mit diesen Daten, bingespannt wie die reagieren werden.

Hier die Antwort von vege.net
Hallo Herr Brandstätter,

die Probleme sind bekannt. Bitte benutzen Sie unseren Proxyserver mitfolgenden Einstellungen:


IMAP    secure.vege.net    port 993 SSL/TLS
POP3    secure.vege.net    port 995 SSL/TLS
SMTP    secure.vege.net    port 465 SSL/TLS

bzw. fuer Webmail https://webmail.vege.net/

Dieser befindet sich z.Z. noch im Testbetrieb und wird demnaechst anunsere Kunden kommuniziert.



--
Liebe Grüße

Sigi

Reply to:

References:
- Strech verweigert E-Mails
  - From: Siegfrid Brandstätter <debian@o-h-z.de>
- Re: Strech verweigert E-Mails
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Strech verweigert E-Mails
  - From: Siegfrid Brandstätter <debian@o-h-z.de>
- Re: Strech verweigert E-Mails
  - From: Christian Schmidt <Christian.Schmidt@chemie.uni-hamburg.de>
- Re: Strech verweigert E-Mails
  - From: Siegfrid Brandstätter <debian@o-h-z.de>
- Re: Strech verweigert E-Mails
  - From: Hugo Wau <hugowau@gmx.net>
- Re: Strech verweigert E-Mails
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Strech verweigert E-Mails
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Strech verweigert E-Mails
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Strech verweigert E-Mails
  - From: Siegfrid Brandstätter <debian@o-h-z.de>

Prev by Date: Re: Strech verweigert E-Mails
Next by Date: Re: Lese-/Schreiboptionen der Partitionen und Hard-Reset-Faehigkeiten
Previous by thread: Re: Strech verweigert E-Mails
Next by thread: Re: Strech verweigert E-Mails
Index(es):
- Date
- Thread