OpenSSL Vulnerability (Heartbleed)

General discussion re sg.

OpenSSL Vulnerability (Heartbleed)

Postby ronbarak » Sun Apr 13, 2014 7:39 pm

Following the latest buffer overflow brouhaha, I tested Spamgourmet's SSL compliance, and on the whole, it's almost perfect.
The only thing SG lacks is support for Forward Secrecy.
See https://www.diigo.com/item/p/oooepprzcaqccppppzbddrcrpe.
ronbarak
 
Posts: 37
Joined: Thu May 27, 2004 10:04 am

Re: OpenSSL Vulnerability (Heartbleed)

Postby josh » Wed Apr 16, 2014 3:30 pm

thanks - I reconfigured a bit. I now get a message that forward secrecy is not supported with all browsers, but I suppose it is with some. Anyway, I did what I could for now.

BUT NOTE - the SG server did in fact have the vulnerable version of open SSL installed previously. No one can say whether it was compromised, except that we haven't seen any reason to believe it may have been. I've patched openssl of course, and I've updated all keys/certificates with new ones subsequent to the patch.

It would be a great time to change your password.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Re: OpenSSL Vulnerability (Heartbleed)

Postby jamesd » Fri Apr 18, 2014 4:34 am

Josh, it looks as though you got the configuration wrong in a way that breaks a lot of browsers. The problem isn't forward secrecy but the order in which https://www.spamgourmet.com selects the protocol to use from the ones a browser supports and/or the lack of support for the most commonly supported choice. To see what's wrong please first start these two pages loading, which will take a few minutes as they perform tests:

https://www.ssllabs.com/ssltest/analyze ... ondora.com
https://www.ssllabs.com/ssltest/analyze ... ourmet.com

While those load please read this page that explains what's happening:

https://community.qualys.com/blogs/secu ... rd-secrecy

By now the other two pages should have finished loading. If you scroll down to the Handshake Simulation part you can see mass failure for Spamgourmet but complete success for Bondora. The difference is that Spamgourmet appears to be insisting on

TLS 1.2 TLS_RSA_WITH_AES_256_CBC_SHA256

while Bondora is using a range that includes more secure and more widely supported things like

TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

The issue does things like produce this as error text in say about year old FF 20, along with an inability to connect:

"An error occurred during a connection to http://www.spamgourmet.com.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)"

Hopefully the references will tell you enough about what's happening so it's not too painful to fix it.
jamesd
 
Posts: 17
Joined: Sun Feb 12, 2006 10:45 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 19 guests

cron