[BlueOnyx:21857] Re: new SSLCipherSuite

[Michael Stauber]

Hi all,

I'm now publishing updated base-admserv and base-apache RPMs for 5207R,
5208R and 5209R.

These introduce stronger 'SSLCipherSuite' for HTTPS connections, which
remove the weaker Diffie-Hellman ciphers.

The new 'SSLCipherSuite' is this:

SSLCipherSuite
AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!aNULL:!eNULL:!NULL:!EXPORT:!IDEA:!3DES:!DES:!MD5:!PSK:!RC4:@STRENGTH

I briefly contemplated to throw out AES128 support as well (we're using
and preferring AES256), but I left it in for now. The 'SSLCipherSuite'
without AES128 would have looked this way:

SSLCipherSuite
AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!NULL:!EXPORT:!IDEA:!3DES:!DES:!MD5:!PSK:!RC4:!AES128:@STRENGTH

According to SSLlabs this gives us the following cipher suites for
TLSv1.2 and TLSv1.2 in the following preferred order:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECDH secp256r1 FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 4096 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 4096 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA  DH 4096 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDH secp256r1 FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 4096 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256   DH 4096 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA  DH 4096 bits   FS 128

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECDH secp256r1 FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA  DH 4096 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDH secp256r1 FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA  DH 4096 bits   FS 128

Means: If the browser supports the topmost cipher, it'll use it. If not,
it picks the topmost one from the list that it supports.

We retain the solid "A" rating with HSTS off and get an "A+" if HSTS is
turned on. Removing the AES128 ciphers had no real measurable impact on
the rating.

PLEASE NOTE:
=

This update will not update the 'SSLCipherSuite' settings for existing
Vsites. If you want to have them updated, you can run this script as "root":

/usr/sausalito/sbin/SSL_fixer.pl

It will toggle SSL off and on for all SSL enabled Vsites, forcing the
GUI to write out the new configuration. I decided against letting the
update do this automatically as this is something that ideally the admin
should do himself when it suits him best.

-- 
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21856] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Michael Stauber]

Hi Lew,

> I ended up having to enable AES_128 SHA256 in TLS 1.1 in order 
> to make 2010 version work again and SHA 128 in TLS 1.0 to make 2007
> work
>
> I know all of this doesn't translate into the world of BX but 
> bottom line is that while hardening web servers y

Yeah, it's a balance act and supporting some legacy products doesn't
make it any easier.

TLSv1.0 is as good as dead. It will raise a red flag in PCI tests in the
next couple of months, so we already turned it off for HTTPS. I still
need to turn it off in Sendmail, Dovecot and Proftpd, though. But that
will happen prior to the PCI deadline as well.

As for AES128: I'm just considering to throw it out as well (at least
for HTTPS) in the latest overhaul of the ciphers that I'll release
today. There is no reference browser that doesn't support 256 bit AES.
They can all do one form or other of RSA 4096 (SHA256), ECDH secp256r1
with Forwarding Secrecy.

For email it's of course another matter, as email clients do have a much
longer half life than the average browsers. But eventually we'll have to
bite the bullet there as well.

-- 
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21855] Re: Unable to ftp to 3 VPS's

[Richard Barker]

Thank you Michael,

They are this

-rw-r--r-- 1 root root 662 Mar 14 12:38 /etc/xinetd.d/proftpd
-rw-r--r-- 1 root root 654 Mar 14 13:13 /etc/xinetd.d/proftpds

I did this service xinetd restart all seems fine now


--

/*Richard C. Barker Sr.
CEO & President
1-813-873-8942
ProBass Networks Inc. */
www.probassnetworks.net 
www.probass.net 
***
DISCLAIMER : -
This e-mail is confidential and intended only for the use
of the individual or entity named above and may contain
information that is privileged. If you are not the intended
recipient, you are notified that any dissemination, distribution
or copying of this e-mail is strictly prohibited. If you have
received this email in error, please notify us immediately
by return email or telephone and destroy the original message.

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21854] Re: Unable to ftp to 3 VPS's

[Michael Stauber]

Hi RC,

> I have stopped and started all VPS's only one is still not allowing any ftp 
> no errors in server just my client ftp log still shows this.
> 
> 2018-03-14 13:42:25, 4: Control connection could not be established.
> 2018-03-14 13:42:25, 4: (0x274d) No connection could be made because 
> the target machine actively refused it.

Please check if your servers /etc/xinetd.d/proftpd and
/etc/xinetd.d/proftpds aren't 0-bytes. They should have around 650-670
bytes of length like these here:

[root@sword ~]# ls -la /etc/xinetd.d/proftp*
-rw-r--r-- 1 root root 661 13. Mär 06:07 /etc/xinetd.d/proftpd
-rw-r- 1 root root 654  2. Nov 2014  /etc/xinetd.d/proftpds

Make sure xinetd is running and also see what /var/log/messages reports
when you restart xinetd and/or try to login via FTP.

-- 
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21853] Re: Unable to ftp to 3 VPS's

[Richard Barker]

I have stopped and started all VPS's only one is still not allowing any ftp
no errors in server just my client ftp log still shows this.

2018-03-14 13:42:25, 4: Control connection could not be established.
2018-03-14 13:42:25, 4: (0x274d) No connection could be made because
the target machine actively refused it.

All others are working fine now

Any ideas or help

RC

--

/*Richard C. Barker Sr.
CEO & President
1-813-873-8942
ProBass Networks Inc. */
www.probassnetworks.net 
www.probass.net 
***
DISCLAIMER : -
This e-mail is confidential and intended only for the use
of the individual or entity named above and may contain
information that is privileged. If you are not the intended
recipient, you are notified that any dissemination, distribution
or copying of this e-mail is strictly prohibited. If you have
received this email in error, please notify us immediately
by return email or telephone and destroy the original message.

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21852] Re: Unable to ftp to 3 VPS's

[Richard Barker]

I have stopped and started all VPS's only is still not allowing any ftp 
no errors in server just my client ftp log still shows this.


2018-03-14 13:42:25, 4: Control connection could not be established.
2018-03-14 13:42:25, 4: (0x274d) No connection could be made because 
the target machine actively refused it.


All others are working fine now

Any ideas or help

RC

--

/*Richard C. Barker Sr.
CEO & President
1-813-873-8942
ProBass Networks Inc. */
www.probassnetworks.net 
www.probass.net 
***
DISCLAIMER : -
This e-mail is confidential and intended only for the use
of the individual or entity named above and may contain
information that is privileged. If you are not the intended
recipient, you are notified that any dissemination, distribution
or copying of this e-mail is strictly prohibited. If you have
received this email in error, please notify us immediately
by return email or telephone and destroy the original message.

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21851] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Lew Berry]

Hi Michael,
Been a while since I've put my 2¢ in and this mostly for the benefit of Ken, 
Chris, and the other hosting guys.
In having to answer to the overlords at FINRA, NCUA, PCI, etc. I routinely 
harden Exchange servers using tools from our friends at Qualys and SSL Labs for 
private companies. When I decided to lock down the server I use to host 
Exchange for several smaller companies to get that A+ it broke every version of 
Outlook prior to 2013 including the Mac clients. I ended up having to enable 
AES_128 SHA256 in TLS 1.1 in order to make 2010 version work again and SHA 128 
in TLS 1.0 to make 2007 work (but, even this will still get you an A). 
I know all of this doesn't translate into the world of BX but bottom line is 
that while hardening web servers you're still going to have users who need to 
get mail securely (well semi-securely) using old and in some cases ancient 
devices and clients. Just gotta be careful how many you run over in the process 
of locking things down.

Lew Berry, MCSE, MCT, CSSA
LCB Consulting Inc.

-Original Message-
From: Blueonyx  On Behalf Of Michael Stauber
Sent: Wednesday, March 14, 2018 3:49 AM
To: blueonyx@mail.blueonyx.it
Subject: [BlueOnyx:21849] Re: https://www.ssllabs.com/ssltest/analyze.html 
actual only B rating for blueonyx Server with ssl

Hi Dirk,

> This are the CipherSuits which are actually active at the 5209R Servers:
> 
> SSLCipherSuite 
> HIGH:!LOW:!MEDIUM:!DH:!ADH:!EXP:!SSLv2:!SSLv3:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:!SHA:
> 
> -> unfortunately no PFS
> Are this the SSLCipherSuite you set in the Scripts for adding SSL Support to 
> a site or is this not the actual value?

I think these might indeed be the problem. I'll publish an update that 
introduces a more sensible SSLCipherSuite to fix this issue on 5209R.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21850] Unable to ftp to 3 VPS's

[Richard Barker]

My Aventurine failed over to the backup all VPS's running but 3 of them 
ftp and ftps

are not allowing connections get this error in logs. My IP is whitelisted

2018-03-14 08:59:17, 00012: Attempting to connect to my.domain.net
2018-03-14 08:59:17, 00012: Session window 00012 established for session 
my.domain.net

2018-03-14 08:59:19, 00012: Control connection could not be established.
2018-03-14 08:59:19, 00012: (0x274d) No connection could be made because 
the target machine actively refused it.

2018-03-14 08:59:28, 00013: Attempting to connect to my.domain2.net
2018-03-14 08:59:28, 00013: Session window 00013 established for session 
my.domain2.net

2018-03-14 08:59:29, 00013: Control connection could not be established.
2018-03-14 08:59:29, 00013: (0x274d) No connection could be made because 
the target machine actively refused it.

2018-03-14 08:59:30, 00012: Control connection could not be established.
2018-03-14 08:59:30, 00012: (0x274d) No connection could be made because 
the target machine actively refused it.


q

--

/*Richard C. Barker Sr.
CEO & President
1-813-873-8942
ProBass Networks Inc. */
www.probassnetworks.net 
www.probass.net 
***
DISCLAIMER : -
This e-mail is confidential and intended only for the use
of the individual or entity named above and may contain
information that is privileged. If you are not the intended
recipient, you are notified that any dissemination, distribution
or copying of this e-mail is strictly prohibited. If you have
received this email in error, please notify us immediately
by return email or telephone and destroy the original message.

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21849] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Michael Stauber]

Hi Dirk,

> This are the CipherSuits which are actually active at the 5209R Servers:
> 
> SSLCipherSuite 
> HIGH:!LOW:!MEDIUM:!DH:!ADH:!EXP:!SSLv2:!SSLv3:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:!SHA:
> 
> -> unfortunately no PFS
> Are this the SSLCipherSuite you set in the Scripts for adding SSL Support to 
> a site or is this not the actual value?

I think these might indeed be the problem. I'll publish an update that
introduces a more sensible SSLCipherSuite to fix this issue on 5209R.

-- 
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21848] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Dirk Estenfeld]

Hello Michael,

maybe to get some clearance on this issue.

This are the CipherSuits which are actually active at the 5209R Servers:

SSLCipherSuite 
HIGH:!LOW:!MEDIUM:!DH:!ADH:!EXP:!SSLv2:!SSLv3:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:!SHA:

-> unfortunately no PFS
Are this the SSLCipherSuite you set in the Scripts for adding SSL Support to a 
site or is this not the actual value?


This is the CipherSuits which are actually active at the 5208R Server

 SSLCipherSuite 
HIGH:!LOW:!SEED:!DSS:!SSLv2:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:

-> PFS is enabled

Best regards,
Dirk


---

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel


-Ursprüngliche Nachricht-
Von: Blueonyx [mailto:blueonyx-boun...@mail.blueonyx.it] Im Auftrag von Dirk 
Estenfeld
Gesendet: Mittwoch, 14. März 2018 08:12
An: BlueOnyx General Mailing List 
Betreff: [BlueOnyx:21847] Re: https://www.ssllabs.com/ssltest/analyze.html 
actual only B rating for blueonyx Server with ssl

Hello Michael,

thank you for your email.

No an additional download for an intermediate certificate is not the reason for 
a  B-rating.
I have another server with all intermediates on stock and this server also have 
a B-rating. 
Also enabling HSTS is not a guarantee for an A-rating.
I have a site also with HSTS enabled and it gets a B-rating.

The problem is that the actual configuration at the 5209R Servers do not have 
PFS enabled. 
I can reproduce on each 5209R we have and this are several servers.

If you want I can give you some login information to check this.

Please check the Ciphers to enable PFS. This will bring back the A-rating.

Best regards,
Dirk


---

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel

-Ursprüngliche Nachricht-
Von: Blueonyx [mailto:blueonyx-boun...@mail.blueonyx.it] Im Auftrag von Michael 
Stauber
Gesendet: Dienstag, 13. März 2018 17:24
An: blueonyx@mail.blueonyx.it
Betreff: [BlueOnyx:21839] Re: https://www.ssllabs.com/ssltest/analyze.html 
actual only B rating for blueonyx Server with ssl

Hi Dirk,

> are there different Ciphers for your and other 5209R Servers?

During the base-apache updates in the last 2-3 weeks to deal with the
SSL issues I went in an optimized our ciphers a little further. The
ciphers themselves didn't change much and it was just a small tweak. But
I also turned off TLSv1.0 while I was at it.

This change will not have permeated through all Vsites yet *if* their
configuration hasn't been updated through a GUI mandated change of the
configuration. I specifically decided against forcing a write out of the
new configuration to existing Vsites, because that would rock the boat
too much for just a trivial gain.

> Please check: 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.eloquia.com
> and
> https://www.ssllabs.com/ssltest/analyze.html?d=www.excite-werbeagentur.de

It's as I thought. Please go to the results page and under
"Certification Paths" click on the button to expand.

For both you will see:

"Path #1: Trusted." It lists twice "sent by server" and then "In trust
store".

For "Path #2: Trusted" you see four entries. First two are "sent by
server", third is "Extra download" (this is the problem!) and finally
"in trust store" for item four.

So the problem is that for this intermediate listed under "3" (COMODO
RSA Certification Authority) the browser needs to make an extra
download, as your server is not sending that particular intermediate.

That extra-download results in the downgrading of the rating. The point
I'm unsure about is why your cipher list for these two is massively
shortened, resulting in the "This server does not support Forward
Secrecy with the reference browsers." That *could* be related.

Please check and make sure that you've got all intermediates uploaded.

Then also check if /etc/httpd/conf/vhosts/siteX for the Vsite
www.eloquia.com and check what the "SSLCipherSuite" for that says. It
should not be massively different from the one listed in
/etc/httpd/conf.perl/00-default-vsite.pl

> Funny fact 
> A 5208R (Scientific Linux 6.9) I get a A+
> https://www.ssllabs.com/ssltest/analyze.html?d=www.blackpoint.de

Yes, that's easily explained: "HTTP Strict Transport Security (HSTS)
with long duration deployed on this server."

As it currently is 5207R/5208R/5209R do get a solid "A" in their default
configuration. This has been the case for the last year or two. If you
*also* enable HSTS you do get an "A+".

However: HSTS is a server wide config option. If you do have Vsites that
don't have SSL enabled, then enabling HSTS will cause you problems. That
is why we cannot enable HSTS by default and leave the ability to enable
that option to the server admin.

-- 
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:21847] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Dirk Estenfeld]

Hello Michael,

thank you for your email.

No an additional download for an intermediate certificate is not the reason for 
a  B-rating.
I have another server with all intermediates on stock and this server also have 
a B-rating. 
Also enabling HSTS is not a guarantee for an A-rating.
I have a site also with HSTS enabled and it gets a B-rating.

The problem is that the actual configuration at the 5209R Servers do not have 
PFS enabled. 
I can reproduce on each 5209R we have and this are several servers.

If you want I can give you some login information to check this.

Please check the Ciphers to enable PFS. This will bring back the A-rating.

Best regards,
Dirk


---

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel

-Ursprüngliche Nachricht-
Von: Blueonyx [mailto:blueonyx-boun...@mail.blueonyx.it] Im Auftrag von Michael 
Stauber
Gesendet: Dienstag, 13. März 2018 17:24
An: blueonyx@mail.blueonyx.it
Betreff: [BlueOnyx:21839] Re: https://www.ssllabs.com/ssltest/analyze.html 
actual only B rating for blueonyx Server with ssl

Hi Dirk,

> are there different Ciphers for your and other 5209R Servers?

During the base-apache updates in the last 2-3 weeks to deal with the
SSL issues I went in an optimized our ciphers a little further. The
ciphers themselves didn't change much and it was just a small tweak. But
I also turned off TLSv1.0 while I was at it.

This change will not have permeated through all Vsites yet *if* their
configuration hasn't been updated through a GUI mandated change of the
configuration. I specifically decided against forcing a write out of the
new configuration to existing Vsites, because that would rock the boat
too much for just a trivial gain.

> Please check: 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.eloquia.com
> and
> https://www.ssllabs.com/ssltest/analyze.html?d=www.excite-werbeagentur.de

It's as I thought. Please go to the results page and under
"Certification Paths" click on the button to expand.

For both you will see:

"Path #1: Trusted." It lists twice "sent by server" and then "In trust
store".

For "Path #2: Trusted" you see four entries. First two are "sent by
server", third is "Extra download" (this is the problem!) and finally
"in trust store" for item four.

So the problem is that for this intermediate listed under "3" (COMODO
RSA Certification Authority) the browser needs to make an extra
download, as your server is not sending that particular intermediate.

That extra-download results in the downgrading of the rating. The point
I'm unsure about is why your cipher list for these two is massively
shortened, resulting in the "This server does not support Forward
Secrecy with the reference browsers." That *could* be related.

Please check and make sure that you've got all intermediates uploaded.

Then also check if /etc/httpd/conf/vhosts/siteX for the Vsite
www.eloquia.com and check what the "SSLCipherSuite" for that says. It
should not be massively different from the one listed in
/etc/httpd/conf.perl/00-default-vsite.pl

> Funny fact 
> A 5208R (Scientific Linux 6.9) I get a A+
> https://www.ssllabs.com/ssltest/analyze.html?d=www.blackpoint.de

Yes, that's easily explained: "HTTP Strict Transport Security (HSTS)
with long duration deployed on this server."

As it currently is 5207R/5208R/5209R do get a solid "A" in their default
configuration. This has been the case for the last year or two. If you
*also* enable HSTS you do get an "A+".

However: HSTS is a server wide config option. If you do have Vsites that
don't have SSL enabled, then enabling HSTS will cause you problems. That
is why we cannot enable HSTS by default and leave the ability to enable
that option to the server admin.

-- 
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx