[Ach] pls pull, various changes

christian mock cm at coretec.at
Sun Nov 10 19:14:08 CET 2013


I finally found some time to go over the document; apart from a few
typos, I've changed the postfix section and added "sslscan" to the
tool list.

regarding postfix: changing any of the non-"mandatory" smtpd_tls_*
settings is counterproductive, as this affects opportunistic
encryption *only*. so I've removed the mention of
"smtpd_tls_protocols" -- the man page says

  This parameter SHOULD be left at its default empty value, allowing
  all protocols to be used with opportunistic TLS.

I've concentrated on the "mandatory" settings -- added a
"tls_high_cipherlist" (list copied from apache), set
"smtpd_tls_mandatory_ciphers" to activate it, and added
"tls_ssl_options=NO_COMPRESSION" because of BREACH. I've also tried to
explain mandatory vs opportunistic encryption and how to force your
submission smtpd to use the settings, pls critique.


regarding the cipher suites for apache (and others) -- AFAICT you need
apache 2.4 to support ECDHE (debian stable has 2.2), and maybe you
don't trust EC. Without ECDHE, *all* versions of IE are excluded,
which should at least be mentioned in the document, and will probably
be a no-go in a commercial setting.

Also, the given settings exclude java (according to ssllabs),
apparently because that only does AES128. That may be a problem for
those people who are running SOAPy stuff.

So I'd suggest re-evaluating the exclusion of AES128, especially since
the IIS settings do have it enabled.

cm.

PS: I'll be trying to show up tomorrow evening.

PPS: dear openssl authors, whyTF do you invent your own ciphersuite
     names instead of using the RFC nomenclature? and why "EDH" and
     "DHE" which mean the same AFAICT?

-- 
Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!

http://heise.de/-1260559

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.



More information about the Ach mailing list