Project

General

Profile

tickets #102602

anna|elsa, daffy1|daffy2: SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection

Added by lrupp 2 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
High
Assignee:
opensuse-admin
Category:
Core services and infra
Target version:
-
Start date:
2021-11-17
Due date:
% Done:

100%

Estimated time:

Description

Insight

The TLSv1.0 and TLSv1.1 protocols contain known cryptographic flaws like:

  • CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST) *CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded Legacy Encryption (FREAK)

Impact

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

Furthermore newly uncovered vulnerabilities in this protocols won't receive security updates anymore.

Solution

It is recommended to disable the deprecated TLSv1.0 and/or TLSv1.1 protocols in favor of the TLSv1.2+ protocols.

Just use https://ssl-config.mozilla.org/ as base for a good configuration.

References

CERT

DFN-CERT-2020-0177
DFN-CERT-2020-0111
DFN-CERT-2019-0068
DFN-CERT-2018-1441
DFN-CERT-2018-1408
DFN-CERT-2016-1372
DFN-CERT-2016-1164
[...]

History

#1 Updated by pjessen 2 months ago

  • Assignee changed from opensuse-admin to pjessen
  • Private changed from Yes to No

anna - TLS v1.0 and v1.1 are disabled for smtp (outbound).
anna - TLS v1.0 and v1.1 are enabled for smtpd (inbound), but none of the external addresses are accessible on port 25, anna is only an outbound relay. Anyway, I'll add :

smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

I expect elsa to be exactly the same.

#2 Updated by pjessen 2 months ago

  • Status changed from New to Workable
  • Assignee changed from pjessen to opensuse-admin

anna and elsa both done, but I have no access to daffy[12].

#3 Updated by pjessen about 2 months ago

pjessen wrote:

anna and elsa both done, but I have no access to daffy[12].

What does daffy[12] run that uses TLS?

#4 Updated by lrupp about 2 months ago

  • Status changed from Workable to Closed
  • % Done changed from 0 to 100

pjessen wrote:

What does daffy[12] run that uses TLS?

daffy[1,2] run login2.opensuse.org -> an apache in front of some services.
This is now fixed. https://www.ssllabs.com/ssltest/analyze.html?d=login2.opensuse.org even shows an "A+" :-)

=> Closing, as all issues solved. Thanks!

Also available in: Atom PDF