[aklug] Re: heads-up for OpenSSL change affecting TLS using 512-bit DH parameters

JP, rockin' - bullet dodged. :)

All, if this is an issue for any of you or your customers, here's what you
may see in your logs if you're doing sendmail:

Jun 17 22:35:28 heffalump sendmail[60380]: STARTTLS=client, error: connect
failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1

It's the "dh key too small" that's the tell.

Royce

On Tue, Jun 16, 2015 at 12:51 PM, JP <jp@jptechnical.com> wrote:

> Fortunately for me, I only have one in the 512 list, rt.rbcak.org, and it
> is an abandoned project just waiting for the domain to go away. Thanks
> Royce!
>
> On Tue, Jun 16, 2015 at 5:45 AM Royce Williams <royce@tycho.org> wrote:
>
>> On Thu, Jun 11, 2015 at 7:32 PM, Royce Williams <royce@tycho.org> wrote:
>>
>>> On Thu, Jun 11, 2015 at 6:21 PM, Royce Williams <royce@tycho.org> wrote:
>>> > A semi-OT public-service announcement for Alaskan geeks, since this is
>>> > the largest forum I'm aware of that contains them. :) It will also
>>> > directly impact any Linux users trying to get to certain web sites,
>>> > including some Alaskan ones. I've been doing some research into SSL
>>> > and TLS recently, so I thought I could provide a heads-up.
>>> >
>>> > Today's OpenSSL annoucement here:
>>> >
>>> > https://www.openssl.org/news/secadv_20150611.txt
>>> >
>>> > ... says:
>>> >
>>> > "OpenSSL has added protection for TLS clients by rejecting handshakes
>>> > with DH parameters shorter than 768 bits. This limit will be increased
>>> > to 1024 bits in a future release."
>>> >
>>> > This is in response to the recently publicized Logjam vulnerability:
>>> >
>>> > https://weakdh.org/
>>> >
>>> >
>>> > As these new OpenSSL patches ripple across the Internet, TLS to the
>>> > following Alaska-affiliated web sites may be affected, because they
>>> > are using 512-bit DH parameters:
>>>
>>
>> [snip]
>>
>>
>>> > The list of sites using 768-bit is quite a bit larger, and while
>>> > they're not currently affected by the OpenSSL patches, their days are
>>> > numbered. Action in advance is likely called for. They are as
>>> > follows:
>>>
>>
>> SMTP can also use SSL/TLS. For the Alaskan-looking domains that I'm
>> aware of, here are the ones that appear to be using 512-bit and 768-bit DH
>> parameters at their highest-priority MX (primary inbound mail server).
>> Note that I only tested the first MX.
>>
>> I'm not positive that this would result in an actual interruption in
>> email flow once the sending server is patched to the newest OpenSSL, but
>> it's probably best to rule it out.
>>
>> 512-bit:
>>
>> b2ak.com
>> FirstMX: inbound30.exchangedefender.com.
>> Server Temp Key: DH, 512 bits
>>
>> gcimbs.net
>> FirstMX: mxgw-1.gcimbs.net.
>> Server Temp Key: DH, 512 bits
>>
>> kikiktagruk.com
>> FirstMX: inbound30.exchangedefender.com.
>> Server Temp Key: DH, 512 bits
>>
>> nomealaska.org
>> FirstMX: inbound30.exchangedefender.com.
>> Server Temp Key: DH, 512 bits
>>
>> rlglaw.com
>> FirstMX: inbound30.exchangedefender.com.
>> Server Temp Key: DH, 512 bits
>>
>> schoolaccess.net
>> FirstMX: sa.schoolaccess.net.
>> Server Temp Key: DH, 512 bits
>>
>>
>> ... and 768-bit:
>>
>> adaktu.net
>> FirstMX: adaktu.net.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> bristolbay.com
>> FirstMX: bristolbay.com.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> ctcak.net
>> FirstMX: ctcak.net.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> hillsidemedicine.com
>> FirstMX: condor.compudyne.net.
>> Server Temp Key: DH, 768 bits
>>
>> klawockschool.com
>> FirstMX: mx1.gaggle.net.
>> Server Temp Key: DH, 768 bits
>>
>> kpu.net
>> FirstMX: kpu.net.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> kpunet.net
>> FirstMX: kpunet.net.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> kpunet.org
>> FirstMX: kpunet.org.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> kputel.com
>> FirstMX: kputel.com.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> kputel.org
>> FirstMX: kputel.org.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> nushtel.com
>> FirstMX: nushtel.com.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> nushtel.net
>> FirstMX: nushtel.net.mx2.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>> otz.net
>> FirstMX: otz.net.mx1.greymail.rcimx.net.
>> Server Temp Key: DH, 768 bits
>>
>>
>> These were tested with the following OpenSSL command (note that for
>> "Server Temp Key" to show up in the output, you have to be using OpenSSL
>> 1.0.2.
>>
>> echo QUIT | openssl s_client -verify 0 -starttls smtp -connect
>> www.example.net.:25 -cipher "EDH" 2>&1
>>
>> Royce
>>
>> --
>
> ___ _______
> | | |
> | | _ |
> | | |_| |
> ___| | ___|
> | | |
> |_______|___|
>
> *JP (Jesse Perry)*
> voice/txt: 907-748-2200
> email: jp@jptechnical.com
> web: http://jptechnical.com
> support: helpdesk@jptechnical.com
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jun 17 22:55:06 2015