Koozali.org: home of the SME Server

TLS Version 1.0 Protocol Detection (PCI DSS)

TLS Version 1.0 Protocol Detection (PCI DSS)
« on: December 08, 2015, 09:01:47 PM »
How do I disable TLS Version 1.0 so I can use TLS 1.1 and/or TLS 1.2?

I did a scan on the server for support protocols. Here is the results.

Protocols
TLS 1.2   Yes
TLS 1.1   Yes
TLS 1.0   Yes
SSL 3    No
SSL 2           No

SecurityMetrics Issue:

Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.

Impact:
The remote service accepts connections encrypted using TLS 1.0. These versions of TLS reportedly suffer from several cryptographic flaws. An attacker may be able to exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. As per PCI Security Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy off early TLS to secure TLS versions such as TLS 1.1 or 1.2 on or before June 30, 2016. Consult the application's documentation for information on how to upgrade TLS to version 1.1 or greater (TLS 1.2 strongly recommended) or upgrade the application to a version that uses TLS version 1.1 or greater.

Resolution:
Consult the application's documentation to disable TLS 1.0. Use TLS 1.1 or higher instead.

guest22

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #1 on: December 09, 2015, 06:20:06 AM »
Hi and welcome!

Good question(s), I'm sure somebody will jump in shortly.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #2 on: December 09, 2015, 11:26:55 AM »
just a question.. are we talking about what? http? mail? what?

thank you

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #3 on: December 09, 2015, 03:21:47 PM »
This would likely be http, as a default SME 9 installation will support TLS 1.0, 1.1, and 1.2.  Doyle appears to be facing a third-party requirement to disable TLS 1.0 by next June, most likely related to accepting credit cards (I presume this since that's what PCI deals with).  It appears (based on my limited web searching) that vulnerabilities in TLS 1.0 can be mitigated, if not defeated, by ensuring use of RC4, but that then exposes you to potential vulnerabilities in RC4.

TLS 1.0 can be disabled in httpd.conf by setting SSLProtocol to all -SSLv3 -TLSv1--I made that change on my production server, restarted httpd-e-smith, and ran the SSL test from ssllabs.com.  Result was that TLS 1.0 was in fact disabled.

To do it the "e-smith way," you'd need to make a custom template fragment.

Code: [Select]
# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
# nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol

Make it look like this:
Code: [Select]
{
    # Specify which SSL Protocols to accept for this context
    $OUT .= "SSLProtocol all";
    $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
    $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
    $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
    $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
}

Set your configuration properly, rebuild the httpd configuration file, and restart Apache:

Code: [Select]
# config setprop httpd-e-smith TLSv1 disabled
# config setprop httpd-e-smith TLSv1.1 enabled
# expand-template /etc/httpd/conf/httpd.conf
# service httpd-e-smith restart

Now, I'm fairly confident that this will disable TLS v1.0 on your server.  If you want to disable TLS 1.1 as well, change the second command above to "TLSv1.1 disabled".  I can't vouch for the wisdom of doing so, or address any other impacts it may have.

Note that disabling TLS 1.0 will break https for a bunch of older clients.  Clients that support TLS 1.2 will use it anyway--having TLS 1.0 enabled does not force your clients to use that protocol.
« Last Edit: December 09, 2015, 03:32:28 PM by DanB35 »
......

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #4 on: December 09, 2015, 10:57:52 PM »
Thanks DanB35.

I made the changes that you posted. I am in the process of testing the server with SecurityMetrics. I will post the results.

Thank you again!

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #5 on: December 09, 2015, 11:17:52 PM »
I've posted http://bugs.contribs.org/show_bug.cgi?id=9154 about this issue to see if it can be added to the base system.
......

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #6 on: December 10, 2015, 05:49:14 PM »
The changes worked GREAT.

Now I am having the same issue with SSMTP (465) and SPOP3 (995) using TLSv1.0.

How do I disable TLSv1.0 for SSMTP and SPOP3?

Thanks, Doyle

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #7 on: December 10, 2015, 06:09:59 PM »
Frankly, if they're concerned about the encryption protocols used for mail delivery and retrieval, they're straining at a gnat while swallowing a camel.  Sensitive information shouldn't be sent over email without being encrypted by the client anyway, using something like PGP or S/MIME.

But to answer your question, I'm afraid I don't have any idea how to make the relevant changes to those services.  I'm sure it can be done, though.  Hopefully someone else will chime in.
......

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #8 on: December 10, 2015, 06:31:07 PM »
for pop3s, I guess we have to edit this file:

Code: [Select]
[root@fileserver stunnel.conf]$ more 10ssl
cert = /service/imap/ssl/imapd.pem
options = NO_SSLv2
options = NO_SSLv3
fips = no
[root@fileserver stunnel.conf]$ pwd
/etc/e-smith/templates/var/service/pop3s/stunnel.conf

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #9 on: December 10, 2015, 09:20:05 PM »
The issue is not the sending of emails, it is that the service used to verify that your service/server does not have any vulnerabilities. They ding you when you do even if it is relative or not. I need to make then happy! That said, I need find a way of disabling TLS v 1.0 for smtp and pop.

Is this possible or do I need to submit a bug report?

Thank you for all the help!

Doyle 

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #10 on: December 10, 2015, 09:30:32 PM »
Please,  read my last post and try it yourself and report back, thank you

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #11 on: December 10, 2015, 09:46:29 PM »
Please,  read my last post and try it yourself and report back, thank you

Can you please explain what the changes do? Thanks

UPDATE: I checked and the changes you have listed is already done. It did not work.
« Last Edit: December 10, 2015, 09:48:38 PM by Doyle Glaze II »

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #12 on: December 16, 2015, 05:24:42 PM »
Please,  read my last post and try it yourself and report back, thank you

What is it I am changing???

I don't know what I am changing. What I am reading in the file is that SSLv2 and SSLv3 are disabled. But, I do know that SSLv3 is not.

Should I submit a bug on this security issue???

Thanks

Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #13 on: December 16, 2015, 09:13:37 PM »
Made the following changes and did not fix the problem. What is next?

Code: [Select]
[root@fileserver stunnel.conf]$ more 10ssl
cert = /service/imap/ssl/imapd.pem
options = NO_TLSv1
options = NO_SSLv2
options = NO_SSLv3
fips = no
[root@fileserver stunnel.conf]$ pwd
/etc/e-smith/templates/var/service/pop3s/stunnel.conf


for pop3s, I guess we have to edit this file:

Code: [Select]
[root@fileserver stunnel.conf]$ more 10ssl
cert = /service/imap/ssl/imapd.pem
options = NO_SSLv2
options = NO_SSLv3
fips = no
[root@fileserver stunnel.conf]$ pwd
/etc/e-smith/templates/var/service/pop3s/stunnel.conf

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: TLS Version 1.0 Protocol Detection (PCI DSS)
« Reply #14 on: December 16, 2015, 09:36:37 PM »
At a minimum, expand-template /var/service/pop3s/stunnel.conf.  I don't know if there's an associated service to restart or not.
......