On Thu, Jun 11, 2015 at 7:32 PM, Royce Williams <royce@tycho.org> wrote:
> On Thu, Jun 11, 2015 at 6:21 PM, Royce Williams <royce@tycho.org> wrote:
> > A semi-OT public-service announcement for Alaskan geeks, since this is
> > the largest forum I'm aware of that contains them. :) It will also
> > directly impact any Linux users trying to get to certain web sites,
> > including some Alaskan ones. I've been doing some research into SSL
> > and TLS recently, so I thought I could provide a heads-up.
> >
> > Today's OpenSSL annoucement here:
> >
> > https://www.openssl.org/news/secadv_20150611.txt
> >
> > ... says:
> >
> > "OpenSSL has added protection for TLS clients by rejecting handshakes
> > with DH parameters shorter than 768 bits. This limit will be increased
> > to 1024 bits in a future release."
> >
> > This is in response to the recently publicized Logjam vulnerability:
> >
> > https://weakdh.org/
> >
> >
> > As these new OpenSSL patches ripple across the Internet, TLS to the
> > following Alaska-affiliated web sites may be affected, because they
> > are using 512-bit DH parameters:
>
[snip]
> > The list of sites using 768-bit is quite a bit larger, and while
> > they're not currently affected by the OpenSSL patches, their days are
> > numbered. Action in advance is likely called for. They are as
> > follows:
>
SMTP can also use SSL/TLS. For the Alaskan-looking domains that I'm aware
of, here are the ones that appear to be using 512-bit and 768-bit DH
parameters at their highest-priority MX (primary inbound mail server).
Note that I only tested the first MX.
I'm not positive that this would result in an actual interruption in email
flow once the sending server is patched to the newest OpenSSL, but it's
probably best to rule it out.
512-bit:
b2ak.com
FirstMX: inbound30.exchangedefender.com.
Server Temp Key: DH, 512 bits
gcimbs.net
FirstMX: mxgw-1.gcimbs.net.
Server Temp Key: DH, 512 bits
kikiktagruk.com
FirstMX: inbound30.exchangedefender.com.
Server Temp Key: DH, 512 bits
nomealaska.org
FirstMX: inbound30.exchangedefender.com.
Server Temp Key: DH, 512 bits
rlglaw.com
FirstMX: inbound30.exchangedefender.com.
Server Temp Key: DH, 512 bits
schoolaccess.net
FirstMX: sa.schoolaccess.net.
Server Temp Key: DH, 512 bits
... and 768-bit:
adaktu.net
FirstMX: adaktu.net.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
bristolbay.com
FirstMX: bristolbay.com.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
ctcak.net
FirstMX: ctcak.net.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
hillsidemedicine.com
FirstMX: condor.compudyne.net.
Server Temp Key: DH, 768 bits
klawockschool.com
FirstMX: mx1.gaggle.net.
Server Temp Key: DH, 768 bits
kpu.net
FirstMX: kpu.net.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
kpunet.net
FirstMX: kpunet.net.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
kpunet.org
FirstMX: kpunet.org.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
kputel.com
FirstMX: kputel.com.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
kputel.org
FirstMX: kputel.org.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
nushtel.com
FirstMX: nushtel.com.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
nushtel.net
FirstMX: nushtel.net.mx2.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
otz.net
FirstMX: otz.net.mx1.greymail.rcimx.net.
Server Temp Key: DH, 768 bits
These were tested with the following OpenSSL command (note that for "Server
Temp Key" to show up in the output, you have to be using OpenSSL 1.0.2.
echo QUIT | openssl s_client -verify 0 -starttls smtp -connect
www.example.net.:25 -cipher "EDH" 2>&1
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jun 16 05:45:52 2015
This archive was generated by hypermail 2.1.8 : Tue Jun 16 2015 - 05:45:52 AKDT