Fortunately for me, I only have one in the 512 list, rt.rbcak.org, and it
is an abandoned project just waiting for the domain to go away. Thanks
Royce!
On Tue, Jun 16, 2015 at 5:45 AM Royce Williams <royce@tycho.org> wrote:
> On Thu, Jun 11, 2015 at 7:32 PM, Royce Williams <royce@tycho.org> wrote:
>
>> On Thu, Jun 11, 2015 at 6:21 PM, Royce Williams <royce@tycho.org> wrote:
>> > A semi-OT public-service announcement for Alaskan geeks, since this is
>> > the largest forum I'm aware of that contains them. :) It will also
>> > directly impact any Linux users trying to get to certain web sites,
>> > including some Alaskan ones. I've been doing some research into SSL
>> > and TLS recently, so I thought I could provide a heads-up.
>> >
>> > Today's OpenSSL annoucement here:
>> >
>> > https://www.openssl.org/news/secadv_20150611.txt
>> >
>> > ... says:
>> >
>> > "OpenSSL has added protection for TLS clients by rejecting handshakes
>> > with DH parameters shorter than 768 bits. This limit will be increased
>> > to 1024 bits in a future release."
>> >
>> > This is in response to the recently publicized Logjam vulnerability:
>> >
>> > https://weakdh.org/
>> >
>> >
>> > As these new OpenSSL patches ripple across the Internet, TLS to the
>> > following Alaska-affiliated web sites may be affected, because they
>> > are using 512-bit DH parameters:
>>
>
> [snip]
>
>
>> > The list of sites using 768-bit is quite a bit larger, and while
>> > they're not currently affected by the OpenSSL patches, their days are
>> > numbered. Action in advance is likely called for. They are as
>> > follows:
>>
>
> SMTP can also use SSL/TLS. For the Alaskan-looking domains that I'm aware
> of, here are the ones that appear to be using 512-bit and 768-bit DH
> parameters at their highest-priority MX (primary inbound mail server).
> Note that I only tested the first MX.
>
> I'm not positive that this would result in an actual interruption in email
> flow once the sending server is patched to the newest OpenSSL, but it's
> probably best to rule it out.
>
> 512-bit:
>
> b2ak.com
> FirstMX: inbound30.exchangedefender.com.
> Server Temp Key: DH, 512 bits
>
> gcimbs.net
> FirstMX: mxgw-1.gcimbs.net.
> Server Temp Key: DH, 512 bits
>
> kikiktagruk.com
> FirstMX: inbound30.exchangedefender.com.
> Server Temp Key: DH, 512 bits
>
> nomealaska.org
> FirstMX: inbound30.exchangedefender.com.
> Server Temp Key: DH, 512 bits
>
> rlglaw.com
> FirstMX: inbound30.exchangedefender.com.
> Server Temp Key: DH, 512 bits
>
> schoolaccess.net
> FirstMX: sa.schoolaccess.net.
> Server Temp Key: DH, 512 bits
>
>
> ... and 768-bit:
>
> adaktu.net
> FirstMX: adaktu.net.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> bristolbay.com
> FirstMX: bristolbay.com.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> ctcak.net
> FirstMX: ctcak.net.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> hillsidemedicine.com
> FirstMX: condor.compudyne.net.
> Server Temp Key: DH, 768 bits
>
> klawockschool.com
> FirstMX: mx1.gaggle.net.
> Server Temp Key: DH, 768 bits
>
> kpu.net
> FirstMX: kpu.net.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> kpunet.net
> FirstMX: kpunet.net.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> kpunet.org
> FirstMX: kpunet.org.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> kputel.com
> FirstMX: kputel.com.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> kputel.org
> FirstMX: kputel.org.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> nushtel.com
> FirstMX: nushtel.com.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> nushtel.net
> FirstMX: nushtel.net.mx2.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
> otz.net
> FirstMX: otz.net.mx1.greymail.rcimx.net.
> Server Temp Key: DH, 768 bits
>
>
> These were tested with the following OpenSSL command (note that for
> "Server Temp Key" to show up in the output, you have to be using OpenSSL
> 1.0.2.
>
> echo QUIT | openssl s_client -verify 0 -starttls smtp -connect
> www.example.net.:25 -cipher "EDH" 2>&1
>
> Royce
>
> --
___ _______
| | |
| | _ |
| | |_| |
___| | ___|
| | |
|_______|___|
*JP (Jesse Perry)*
voice/txt: 907-748-2200
email: jp@jptechnical.com
web: http://jptechnical.com
support: helpdesk@jptechnical.com
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jun 16 12:51:49 2015
This archive was generated by hypermail 2.1.8 : Tue Jun 16 2015 - 12:51:49 AKDT