Allow Elliptic Curve Criptography (ECC) certificate

[stephdl]

Steps to reproduce

With centos7.5 and the tls policy 20180330 the usage of ECC certificate are not allowed by our ssl policy, the ciphers are not allowed, we have to add :

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256

this page will explain better what cipher to use for ECC (we do not want sslv3)

Expected behavior

No error, if needed we have to allow ECC certificate by a new tls policy (TLS-20180621)

Actual behavior

not allowed

Components we have to patch these services

• [x] httpd
• [x] httpd-admin
• [x] postfix (smtpd) mail2
• [x] dovecot mail2
• [x] postfix (smtpd)(nethserver-mail-server)
• [x] ~~postfix (smtp)~~ (we do not offer a list of cipher, we just ask for hight in opportunistic mode)
• [x] dovecot (nethserver-mail-server)
• [x] ~~sshd~~ already allowed, seeKexAlgorithms curve25519-sha256@libssh.org

See also

the older issue in GH : https://github.com/NethServer/dev/issues/5438 and the discourse forum: https://community.nethserver.org/t/default-tls-policy-doesnt-allow-connections-with-ecc-certificate/9952

---

thank danb35

[DavidePrincipi]

What about OpenLDAP? Even if it does not implement TLS policy by now, did you check if it works with an ECC?

[nethbot]

in 7.5.1804/testing:

• nethserver-mail-server-1.12.1-1.1.g1d23822.ns7.noarch.rpm
• nethserver-mail-server-ipaccess-1.12.1-1.1.g1d23822.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-3.2.3-1.1.gdced728.ns7.noarch.rpm
• nethserver-httpd-proxypass-3.2.3-1.1.gdced728.ns7.noarch.rpm
• nethserver-httpd-virtualhosts-3.2.3-1.1.gdced728.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-admin-2.3.0-1.1.ga2b5acb.ns7.noarch.rpm

[stephdl]

will check for ECC and Ldap @DavidePrincipi

How I can build again the rpm nethserver-mail with Travis, the build failed :'(

[stephdl]

Testing cases

install from testing

• nethserver-httpd
• nethserver-httpd-admin
• nethserver-mail2-server or nethserver-mail-server

Test there is no regressions and no error in templates (check logs) by changing the tls-policy

you can check what ciphers are allowed by checking the testssl.sh page

Services to tests with testssl.sh and the 20180330 tls policy

• imap testssl.sh -t imap 127.0.0.1:143
• pop3 testssl.sh -t pop3 127.0.0.1:110
• https 443 testssl.sh 127.0.0.1:443
• httpd-admin testssl.sh 127.0.0.1:980
• smtpd testssl.sh -t smtp 127.0.0.1:587

testssl.sh should give back the list of cipher, you are looking forKeyExch. ECDH, for example ECDHE-RSA-AES256-GCM-SHA384

The last and ultimate test is to upload a ECC certificate and check that you can use these services.

[nethbot]

in 7.5.1804/testing:

• nethserver-mail2-common-2.2.0-1.1.gbd41012.ns7.noarch.rpm
• nethserver-mail2-disclaimer-2.2.0-1.1.gbd41012.ns7.noarch.rpm
• nethserver-mail2-filter-2.2.0-1.1.gbd41012.ns7.noarch.rpm
• nethserver-mail2-getmail-2.2.0-1.1.gbd41012.ns7.noarch.rpm
• nethserver-mail2-ipaccess-2.2.0-1.1.gbd41012.ns7.noarch.rpm
• nethserver-mail2-p3scan-2.2.0-1.1.gbd41012.ns7.noarch.rpm
• nethserver-mail2-server-2.2.0-1.1.gbd41012.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-admin-2.3.0-1.3.g90ff9a1.ns7.noarch.rpm

[DavidePrincipi]

I cannot upload an ECC certificate from Server Manager UI :(

To generate the certificate i ran these commands on a Fedora 28:

openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"

origin: https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/

[DavidePrincipi]

Shall we add DSA support too?

[stephdl]

dsa is for signature, not for encryption. openssh dropped the support since openssh7.

I suppose we do not need to allow it.

[stephdl]

What about OpenLDAP? Even if it does not implement TLS policy by now, did you check if it works with an ECC?

not much hints, I do not know

[DavidePrincipi]

OpenSSH does not use a x509 certificate, at least with our configuration and generate its own key pair. I guess it has different requirements.

Instead DSA and ECDSA are part of x509 rfc 3279 and subsequents. I don't know how much they are adopted.

Even if (EC)DSA is for signing I guess it is used in TLS only to identify the peers. Let me dig it more...

[stephdl]

I could see that some vhosts needs to get a cipher definition, like mattermost or nextcloud

My concern is that we need to upgrade consistently the list after each change. For example mattermost won't allow the ecc certificate.

What do you think @DavidePrincipi and @gsanchietti. I wonder if the cipher list should not be stored in the tls-policy key and retrievable everywhere by ${'tls-policy'}{'20180330'}

This will bring other problem, how to separate ciphers (not the same for openssh) and the format to write them (postfix want to separate allowed and refused ciphers)

[DavidePrincipi]

About mattermost and nextcloud, I'd say they should rely on the global Apache setting and not defining their own overrides, unless there are specific requirements from their app clients. We must check this!

As you can see from https://github.com/NethServer/nethserver-base/pull/120, this enhancement is actually a new feature: adding ECC certificates support impacts on Server Manager too!

I think it is better to postpone this new feature after 7.5 release.

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-3.2.3-1.2.g914ae44.ns7.noarch.rpm
• nethserver-httpd-proxypass-3.2.3-1.2.g914ae44.ns7.noarch.rpm
• nethserver-httpd-virtualhosts-3.2.3-1.2.g914ae44.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail2-common-2.2.0-1.2.g02f591f.ns7.noarch.rpm
• nethserver-mail2-disclaimer-2.2.0-1.2.g02f591f.ns7.noarch.rpm
• nethserver-mail2-filter-2.2.0-1.2.g02f591f.ns7.noarch.rpm
• nethserver-mail2-getmail-2.2.0-1.2.g02f591f.ns7.noarch.rpm
• nethserver-mail2-ipaccess-2.2.0-1.2.g02f591f.ns7.noarch.rpm
• nethserver-mail2-p3scan-2.2.0-1.2.g02f591f.ns7.noarch.rpm
• nethserver-mail2-server-2.2.0-1.2.g02f591f.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail-server-1.12.1-1.2.g7286130.ns7.noarch.rpm
• nethserver-mail-server-ipaccess-1.12.1-1.2.g7286130.ns7.noarch.rpm

[DavidePrincipi]

Issue postponed after 7.5 final. Implement a new TLS policy:

• https://github.com/NethServer/nethserver-httpd/commit/914ae44388391def253cd8273ec51b4db738b290
• https://github.com/NethServer/nethserver-mail/pull/48/commits/929e6284345f893f0fe4b26a15cdf464da270c9c
• https://github.com/NethServer/nethserver-mail-server/pull/58/commits/e14e3fc11012ae9d7f14e5186e58c4186aa3cda3

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-3.2.3-1.3.gb537bb4.ns7.noarch.rpm
• nethserver-httpd-proxypass-3.2.3-1.3.gb537bb4.ns7.noarch.rpm
• nethserver-httpd-virtualhosts-3.2.3-1.3.gb537bb4.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail2-common-2.2.0-1.3.gedd7320.ns7.noarch.rpm
• nethserver-mail2-disclaimer-2.2.0-1.3.gedd7320.ns7.noarch.rpm
• nethserver-mail2-filter-2.2.0-1.3.gedd7320.ns7.noarch.rpm
• nethserver-mail2-getmail-2.2.0-1.3.gedd7320.ns7.noarch.rpm
• nethserver-mail2-ipaccess-2.2.0-1.3.gedd7320.ns7.noarch.rpm
• nethserver-mail2-p3scan-2.2.0-1.3.gedd7320.ns7.noarch.rpm
• nethserver-mail2-server-2.2.0-1.3.gedd7320.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail2-common-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm
• nethserver-mail2-disclaimer-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm
• nethserver-mail2-filter-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm
• nethserver-mail2-getmail-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm
• nethserver-mail2-ipaccess-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm
• nethserver-mail2-p3scan-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm
• nethserver-mail2-server-2.2.0-1.4.gc8dcecc.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail2-common-2.2.0-1.5.ga892487.ns7.noarch.rpm
• nethserver-mail2-disclaimer-2.2.0-1.5.ga892487.ns7.noarch.rpm
• nethserver-mail2-filter-2.2.0-1.5.ga892487.ns7.noarch.rpm
• nethserver-mail2-getmail-2.2.0-1.5.ga892487.ns7.noarch.rpm
• nethserver-mail2-ipaccess-2.2.0-1.5.ga892487.ns7.noarch.rpm
• nethserver-mail2-p3scan-2.2.0-1.5.ga892487.ns7.noarch.rpm
• nethserver-mail2-server-2.2.0-1.5.ga892487.ns7.noarch.rpm

[stephdl]

@davidep what did you plan for this Issue do we release without dsa, not much used and not wanted/needed by the community or do we release as is ?

[DavidePrincipi]

Let's release it for ECC certificates only. Splitting the feature eases the QA and documentation processes too... Furthermore the DSA use case has not been requested.

[nethbot]

in 7.5.1804/testing:

• nethserver-mattermost-1.1.0-1.1.gcb37262.ns7.x86_64.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mattermost-1.1.0-1.2.g3938905.ns7.x86_64.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-nextcloud-1.2.1-1.3.g2d77425.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-base-3.3.0-1.1.gd480653.ns7.noarch.rpm

[DavidePrincipi]

Test case

• Generate ECDSA certificate

• Upload it to server manager

• Check the following services use the ECDSA cert correctly

• [x] httpd (default virtual host)

• [x] httpd (mattermost)

• [x] httpd (nextcloud)

• [x] httpd (additional virtual host)

• [x] httpd-admin

• [x] smtpd

• [x] dovecot

• [x] smtpd (mail2)

• [x] dovecot (mail2)

• [ ] slapd

see also the previous test case to see how to run the checks.

[stephdl]

I have some issue to use an ecc cert with dovecot and postfix, I need to investigate

[nethbot]

in 7.5.1804/testing:

• nethserver-base-3.3.0-1.2.g6ccaadd.ns7.noarch.rpm

[nethbot]

in 7.5.1804/updates:

• nethserver-nextcloud-1.2.2-1.ns7.noarch.rpm

[nethbot]

in 7.5.1804/updates:

• nethserver-mattermost-1.1.1-1.ns7.x86_64.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-base-3.3.0-1.3.gb54e1ae.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail-server-1.12.1-1.3.g0c40075.ns7.noarch.rpm
• nethserver-mail-server-ipaccess-1.12.1-1.3.g0c40075.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-mail2-common-2.2.2-1.1.g803ba19.ns7.noarch.rpm
• nethserver-mail2-disclaimer-2.2.2-1.1.g803ba19.ns7.noarch.rpm
• nethserver-mail2-filter-2.2.2-1.1.g803ba19.ns7.noarch.rpm
• nethserver-mail2-getmail-2.2.2-1.1.g803ba19.ns7.noarch.rpm
• nethserver-mail2-ipaccess-2.2.2-1.1.g803ba19.ns7.noarch.rpm
• nethserver-mail2-p3scan-2.2.2-1.1.g803ba19.ns7.noarch.rpm
• nethserver-mail2-server-2.2.2-1.1.g803ba19.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-3.2.4-1.1.g94cf25a.ns7.noarch.rpm
• nethserver-httpd-proxypass-3.2.4-1.1.g94cf25a.ns7.noarch.rpm
• nethserver-httpd-virtualhosts-3.2.4-1.1.g94cf25a.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-httpd-admin-2.3.1-1.1.gfecfa73.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-base-3.3.0-1.4.g111551d.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-base-3.3.0-1.5.g80dacbf.ns7.noarch.rpm

[DavidePrincipi]

Some commands for QA

httpd

curl -k -v https://192.168.122.8
curl -k -v https://192.168.122.8 -H 'Host: mynextcloud.domain.com'
curl -k -v https://192.168.122.8 -H 'Host: mattermost.dpnet.nethesis.it'

httpd vhost

openssl s_client -servername vm8.dpnet.nethesis.it -connect 192.168.122.8:443

httpd-admin

 curl -k -v https://192.168.122.8:980

slapd

LDAPTLS_REQCERT=never ldapsearch -ZZ -s base -H ldap://192.168.122.8 -D 'cn=ldapservice,dc=directory,dc=nh' -x -w '6lpPIkkPr_DEXzdu'  -b ''

dovecot

curl --ssl -k -v -u first.user:Nethesis,1234 imap://192.168.122.8

postfix

curl --ssl -k -v -u first.user:Nethesis,1234 smtp://192.168.122.8:587

generate a CSR with server alt names (-subj)

openssl req -new -sha256 -key ecc-qa-key.pem -out ecc-qa-csr.csr -subj '/CN=vmalpha.dpnet.nethesis.it, O=Nethesis, ST=Italy/emailAddress=davide.principi@nethesis.it/subjectAltName=vmalpha.dpnet.nethesis.it,mattermost.dpnet.nethesis.it,mynextcloud.domain.com,vm8.dpnet.nethesis.it, OU=Development, C=IT, L=Pesaro'

[stephdl]

Tk, I need to write them to the wiki, I did a page on this topic....testssl

[DavidePrincipi]

Other commands for QA:

 nmap  --script ssl-enum-ciphers 192.168.122.8 -p 636
 ./testssl.sh 192.168.122.8:636

The nmap command in Fedora 28 has more detailed output than the one in CentOS7.

[nethbot]

in 7.5.1804/testing:

• nethserver-base-3.3.0-1.6.g24de3ee.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-directory-3.2.7-1.3.g971c0c1.ns7.noarch.rpm

[DavidePrincipi]

Test case

• [ ] See https://github.com/NethServer/dev/issues/5509#issuecomment-396585618
• [x] Check TLS policy 20180330 cannot be selected with an ECC certificate and vice-versa
• [x] Check the testing package nethserver-directory works as remote accounts provider with both RSA and ECC certficate

---

See also https://github.com/NethServer/dev/issues/5509#issuecomment-399154273

[stephdl]

Tk, I need to write them to the wiki, I did a page on this topic....testssl

done https://wiki.nethserver.org/doku.php?id=testing_tls_ssl_encryption

[stephdl]

VERIFICATION

• nethserver-nextcloud already released (probably in other issue)
• nethserver-mattermost already released (probably in other issue)
• nethserver-openldap a remote can authenticate with ECC certficate or a RSA cert, the mandatory is to upgrade to openldap-2.4.44 (centos7.5) you can see the list of cipher
• If you install an ECC cert as default the validator check that the policy is default or 20180621

Proposed verified

[DavidePrincipi]

Pushed translations to Transifex