Bug 35923 - Enable perfect forward secrecy
Enable perfect forward secrecy
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-3-errata
Assigned To: Felix Botner
Erik Damrose
:
Depends on:
Blocks: 35924
  Show dependency treegraph
 
Reported: 2014-09-15 09:17 CEST by Sönke Schwardt-Krummrich
Modified: 2015-03-27 11:19 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2014-09-15 09:17:03 CEST
We should enable Perfect Forward Secrecy:

* Execute the following commands during installation of univention-mail-postfix:
    $ openssl gendh -out /etc/postfix/dh_512.pem -2 512
    $ openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
    $ openssl gendh -out /etc/postfix/dh_2048.pem -2 2048
  And the new config options:
    smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
    smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
  This enables EDH in postfix.
* smtpd_tls_eecdh_grade = strong
  Currently the builtin default value "none" is used which disables ciphers based on EECDH key exchange.
* tls_preempt_cipherlist = yes
  Is currently ignored in UCS 3.x (postfix 2.7) but used in UCS 4. It should also be set.
* smtpd_tls_loglevel = 1
  smtp_tls_loglevel = 1
  Raise TLS loglevel from 0 to 1.

Please recheck also for missing options:
http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
Comment 1 Felix Botner univentionstaff 2014-09-23 11:13:12 CEST
Added the following ucr variables:

 /etc/postfix/main.cf:
 * mail/postfix/smtpd/tls/dh1024/param/file (/etc/postfix/dh_2048.pem)
 * mail/postfix/smtpd/tls/dh512/param/file (/etc/postfix/dh_512.pem)
 * mail/postfix/smtpd/tls/eecdh/grade (strong
 * mail/postfix/tls/preempt/cipherlist (yes)
 * mail/postfix/smtpd/tls/loglevel (1)
 * mail/postfix/smtp/tls/loglevel (1)

 /etc/cron.d/univention-mail-postfix:
 * mail/postfix/cron/recreate/dh/parameter (0 4 * * *)

During installation (and this update) DH paramter files are created (/etc/postfix/dh_*.pem).

A cron job /etc/cron.d/univention-mail-postfix has been added to daily recreate the DH paramter files/reload postfix.

To verify that Perfect Forward Secrecy is used, the openssl s_client command

-> openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25

should return a Cipher starting with DHE (UCS 3.2) or ECDHE (UCS 4.0)

YAML: 2014-09-22-univention-mail-postfix.yaml

Merged to ucs-4.0-0
Comment 2 Philipp Hahn univentionstaff 2014-10-02 10:58:00 CEST
The UCS-4 installation stalls for a long time while the key material is created. It also prints a lot of '.' lines (5856) to stdout, which get logged to /var/log/syslog during installation:
  # grep 'in-target: \. *$' /var/log/syslog | sed -ne '1p;$p'
    Oct  2 08:41:57 in-target: .
    Oct  2 08:45:25 in-target: .

Running the key generation commands in a cron job also depletes the kernel random pool for /dev/random (which MUST be used for key generation). Especially virtual machines are short on sources for true random data, which might lead to additional stalls. Newer QEMU versions provide a VirtIO device for random, but by that the problem is only moved into the host server; an EGD can be installed there.

  # cat /proc/sys/kernel/random/entropy_avail
    870
Comment 3 Felix Botner univentionstaff 2014-10-13 13:50:20 CEST
(In reply to Philipp Hahn from comment #2)
> The UCS-4 installation stalls for a long time while the key material is
> created. It also prints a lot of '.' lines (5856) to stdout, which get
> logged to /var/log/syslog during installation:
>   # grep 'in-target: \. *$' /var/log/syslog | sed -ne '1p;$p'
>     Oct  2 08:41:57 in-target: .
>     Oct  2 08:45:25 in-target: .

openssl gendh output is redirected to dev/null during installation and the default for the recreation cron interval is now 0 4 * * 0 (weekly)

> 
> Running the key generation commands in a cron job also depletes the kernel
> random pool for /dev/random (which MUST be used for key generation).
> Especially virtual machines are short on sources for true random data, which
> might lead to additional stalls. Newer QEMU versions provide a VirtIO device
> for random, but by that the problem is only moved into the host server; an
> EGD can be installed there.
> 
>   # cat /proc/sys/kernel/random/entropy_avail
>     870

All OpenSSL versions try to use /dev/urandom by default,
Comment 4 Erik Damrose univentionstaff 2014-11-07 10:16:48 CET
As discussed, please
- Remove the generation of the 1024bit file, as it is not used. This will reduce the overall time required for key generation
- Set the umask of the generated files to 0644.
- mail/postfix/smtpd/tls/loglevel and mail/postfix/smtp/tls/loglevel should be initialized with 0
- tls_preempt_cipherlist is only supported in postfix 2.8 and later (UCS 3.2 uses 2.7); smtpd_tls_eecdh_grade is supported in postfix 2.6. At least move the comment in the template
Comment 5 Felix Botner univentionstaff 2014-11-07 10:52:28 CET
(In reply to Erik Damrose from comment #4)
> As discussed, please
> - Remove the generation of the 1024bit file, as it is not used. This will
> reduce the overall time required for key generation
> - Set the umask of the generated files to 0644.
> - mail/postfix/smtpd/tls/loglevel and mail/postfix/smtp/tls/loglevel should
> be initialized with 0
> - tls_preempt_cipherlist is only supported in postfix 2.8 and later (UCS 3.2
> uses 2.7); smtpd_tls_eecdh_grade is supported in postfix 2.6. At least move
> the comment in the template

OK

removed mail/postfix/smtpd/tls/eecdh/grade and 
mail/postfix/tls/preempt/cipherlist from 3.2-3 as they are not support by postfix/openssl.

Added changelog entry for 4.0.
Comment 6 Erik Damrose univentionstaff 2014-11-07 11:19:49 CET
OK: openssl s_client -starttls smtp -crlf -connect localhost:25
UCS 3.2: Cipher is DHE-RSA-AES256-SHA
UCS 4.0: Cipher is ECDHE-RSA-AES256-GCM-SHA384

(In reply to Felix Botner from comment #3)
> All OpenSSL versions try to use /dev/urandom by default,
OK: https://www.openssl.org/support/faq.html#USER1
-> reduced key generation time by skipping unused 1024bit key

OK: Removed UCRV options from UCS 3.2 that are not available
OK: Changelog
OK: r55485 Only release for 3.2-3 errata

Verified
Comment 7 Janek Walkenhorst univentionstaff 2014-11-07 15:37:26 CET
http://errata.univention.de/ucs/3.2/236.html