Syndicate
Site (RSS, Atom)
Contact
Weblog status
Total entries: 78
Last entry: 2022-10-16 13:52:24
Last updated: 2022-10-16 14:12:58
powered by vim, bash, cat, grep, sed, and nb 3.4.2

März 2016 Archives

2016-03-06 21:07:05

Enhanced encryption for dovecot on RHEL/CentOS 5

Red Hat's rpm package dovecot is the old version 1.0.7 which is missing modern cryptography and has (on RHEL 5) also the disadvantage that it is linked against OpenSSL 0.98.

The tuxad repo for RHEL 5 / CentOS 5 contains a patched version of Red Hat's dovecot:

If you use an ssl_cipher_list like i.e.

[frankb@treferpol tuxad]$ grep ^ssl_cipher_list \
  /etc/dovecot.conf

ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256: \
  ECDHE-ECDSA-AES256-GCM-SHA384: \
  ECDHE-RSA-AES128-GCM-SHA256: \
  ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256: \
  DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256: \
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256: \
  ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256: \
  DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA: \
  ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA: \
  ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA: \
  DHE-RSA-AES256-SHA:ALL:!aNULL:!ADH:!3DES:!EXP:!RC4: \
  !kRSA:!kKRB5:!aDSS:!DES:!aPSK:!kECDH

then you will get with ssltest.sh (Download) these results:

$ SSLCipherSuite=ALL ssltest.sh 127.0.0.1 993 
Testing: 81.89.239.233 993 ALL
Testing protocols:
SSLv2: NO
SSLv3: NO
TLSv1: YES
TLSv1.1: YES
TLSv1.2: YES
Testing ciphers using protocol TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AESGCM(256) Mac=AEAD TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AES(256) Mac=SHA384 TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) \
  Mac=SHA1 TempKey: ECDH, secp521r1, 521 bits
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc= \
  AESGCM(256) Mac=AEAD TempKey: DH, 2048 bits
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) \
  Mac=SHA256 TempKey: DH, 2048 bits
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA \
  Enc=Camellia(256) Mac=SHA1 TempKey: DH, 2048 bits
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AESGCM(128) Mac=AEAD TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc= \
  AES(128) Mac=SHA256 TempKey: ECDH, secp521r1, 521 bits
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) \
  Mac=SHA1 TempKey: ECDH, secp521r1, 521 bits
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc= \
  AESGCM(128) Mac=AEAD TempKey: DH, 2048 bits
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) \
  Mac=SHA256 TempKey: DH, 2048 bits
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) \
  Mac=SHA1 TempKey: DH, 2048 bits
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA \
  Enc=Camellia(128) Mac=SHA1 TempKey: DH, 2048 bits

Because dovecot and other daemons are excluded by default in tuxad repo to get these packages by default from Red Hat you must use this command to install tuxad dovecot:

yum install --disableexcludes=all \
  --disablerepo=* --enablerepo=tuxad dovecot

Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl

2016-03-03 18:48:03

DROWN attack: updated openssl1 packages available

DROWN is a serious vulnerability that affects many servers using SSL.

Red Hat provided an update of their RPM package of OpenSSL v. 1 for RHEL 6. The tuxad repo which contains a port of this RHEL 6 package for the older RHEL 5 / CentOS 5 has also an updated release of the package.


Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, rpm, yum, repository, redhat, openssl