svarshavchik / courier

Courier Mail Server
http://www.courier-mta.org
76 stars 15 forks source link

Issue reported by internet.nl: Insecure DH key exchange parameters #24

Closed andrejpodzimek closed 4 years ago

andrejpodzimek commented 4 years ago

There doesn't seem to be a way to fix this problem:

image

I've tried to set TLS_MIN_DH_BITS=1024 (and 2048 and 4096), but it seems to have no effect. I couldn't find any parameters that could influence the elliptic curve algorithms (or other choice of key exchange algorithms) selected during key exchnage.

Links from the screenshot:

svarshavchik commented 4 years ago

As documented, TLS_MIN_DH_BITS is for the GnuTLS library only. If you compiled Courier against GnuTLS, instead of OpenSSL, and see this, then you need to note that. With OpenSSL and GnuTLS, custom DH parameters can be loaded via TLS_DHPARAMS.

andrejpodzimek commented 3 years ago

I've figured this out by chance after a long time. Basically the list of ciphers must not contain anything that starts with DHE-. In my case, based on mozilla's security recommendations, two ciphers from the recommended intermediate list were the culprit: DHE-RSA-AES128-GCM-SHA256 and DHE-RSA-AES256-GCM-SHA384 Their removal made this warning go away.

OpenSSL's tricky wildcards are hard to compare against a verbatim list of ciphers; this needs to be checked using openssl ciphers -v "$TLS_CIPHER_LIST".

While this doesn't clarify the root cause, i.e., why the DH params in OpenSSL are configured incorrectly and how they should be configured, it is at least a "workaround" that makes this test pass. (With 4096 bits the problem is still there and 8192 bits take hours to generate, so I suppose that he key size is not the issue here.)

As for GnuTLS, I'm sorry to say that, but each time I tried to build Courier --with-gnutls, it either didn't build at all (which was still a lucky case) or crashed (which was still OK and easy to detect) or started hanging at random during authentication (which was not so great). All of this happened years ago and things certainly work better now, but I've wasted so much time on GnuTLS problems that I'm sort of done with it for the decade. :grin: