Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Elliptic Curve Criptography (ECC) certificate #5509

Closed
8 tasks done
stephdl opened this issue May 28, 2018 · 57 comments
Closed
8 tasks done

Allow Elliptic Curve Criptography (ECC) certificate #5509

stephdl opened this issue May 28, 2018 · 57 comments
Labels
verified All test cases were verified successfully
Milestone
NSW18.26

Comments

@stephdl
Copy link

stephdl commented May 28, 2018
edited
Loading

Steps to reproduce

With centos7.5 and the tls policy 20180330 the usage of ECC certificate are not allowed by our ssl policy, the ciphers are not allowed, we have to add :

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256

this page will explain better what cipher to use for ECC (we do not want sslv3)

Expected behavior

No error, if needed we have to allow ECC certificate by a new tls policy (TLS-20180621)

Actual behavior

not allowed

Components
we have to patch these services

  • httpd
  • httpd-admin
  • postfix (smtpd) mail2
  • dovecot mail2
  • postfix (smtpd)(nethserver-mail-server)
  • ~~~~postfix (smtp)~~~~ (we do not offer a list of cipher, we just ask for hight in opportunistic mode)
  • dovecot (nethserver-mail-server)
  • ~~~~sshd~~~~ already allowed, see KexAlgorithms curve25519-sha256@libssh.org

See also

the older issue in GH : #5438
and the discourse forum: https://community.nethserver.org/t/default-tls-policy-doesnt-allow-connections-with-ecc-certificate/9952

thank danb35
@stephdl stephdl self-assigned this May 28, 2018
@stephdl stephdl changed the title Usage of Eliptic curve certificate (ECC) Allow Eliptic curve certificate (ECC) May 28, 2018
This was referenced May 28, 2018
Merged
Merged
Merged
Merged
@DavidePrincipi
Copy link
Member

What about OpenLDAP? Even if it does not implement TLS policy by now, did you check if it works with an ECC?

stephdl added a commit to NethServer/nethserver-mail-server that referenced this issue May 29, 2018
@stephdl
Allow ECC certificate (dovecot & postfix) (#57)
1d23822 
NethServer/dev#5509
stephdl added a commit to NethServer/nethserver-mail that referenced this issue May 29, 2018
@stephdl
Allow ECC certificate (dovecot & postfix) (#46)
bd41012 
NethServer/dev#5509
@nethbot
Copy link
Member

nethbot commented May 29, 2018

in 7.5.1804/testing:

stephdl added a commit to NethServer/nethserver-httpd that referenced this issue May 29, 2018
@stephdl
Allow Eliptic curve cryptography certificate (#25)
dced728 
NethServer/dev#5509
@nethbot
Copy link
Member

nethbot commented May 29, 2018

in 7.5.1804/testing:

stephdl added a commit to NethServer/nethserver-httpd-admin that referenced this issue May 29, 2018
@stephdl
Allow eliptic curve crypto (ECC) certificate (#30)
a2b5acb 
NethServer/dev#5509
@nethbot
Copy link
Member

nethbot commented May 29, 2018

in 7.5.1804/testing:

@stephdl
Copy link
Author

stephdl commented May 29, 2018

will check for ECC and Ldap @DavidePrincipi

How I can build again the rpm nethserver-mail with Travis, the build failed :'(

@stephdl
Copy link
Author

stephdl commented May 29, 2018
edited
Loading

Testing cases

install from testing

  • nethserver-httpd
  • nethserver-httpd-admin
  • nethserver-mail2-server or nethserver-mail-server

Test there is no regressions and no error in templates (check logs) by changing the tls-policy

you can check what ciphers are allowed by checking the testssl.sh page

Services to tests with testssl.sh and the 20180330 tls policy

  • imap testssl.sh -t imap 127.0.0.1:143
  • pop3 testssl.sh -t pop3 127.0.0.1:110
  • https 443 testssl.sh 127.0.0.1:443
  • httpd-admin testssl.sh 127.0.0.1:980
  • smtpd testssl.sh -t smtp 127.0.0.1:587

testssl.sh should give back the list of cipher, you are looking for KeyExch. ECDH, for example ECDHE-RSA-AES256-GCM-SHA384

The last and ultimate test is to upload a ECC certificate and check that you can use these services.

@nethbot
Copy link
Member

nethbot commented May 30, 2018

in 7.5.1804/testing:

@DavidePrincipi DavidePrincipi added the testing Packages are available from testing repositories label May 30, 2018
@DavidePrincipi DavidePrincipi added this to the NSW18.22 milestone May 30, 2018
@nethbot
Copy link
Member

nethbot commented May 30, 2018

in 7.5.1804/testing:

@DavidePrincipi
Copy link
Member

DavidePrincipi commented May 30, 2018
edited
Loading

I cannot upload an ECC certificate from Server Manager UI :(

image

To generate the certificate i ran these commands on a Fedora 28:

openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"

origin: https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/

@DavidePrincipi DavidePrincipi removed their assignment May 30, 2018
@DavidePrincipi DavidePrincipi removed the testing Packages are available from testing repositories label May 30, 2018
@DavidePrincipi DavidePrincipi mentioned this issue May 30, 2018
Merged
@DavidePrincipi DavidePrincipi changed the title Allow Eliptic curve certificate (ECC) Allow Elliptic curve certificate (ECC) May 30, 2018
@DavidePrincipi
Copy link
Member

Shall we add DSA support too?

@stephdl
Copy link
Author

stephdl commented May 30, 2018

dsa is for signature, not for encryption. openssh dropped the support since openssh7.

I suppose we do not need to allow it.

@stephdl
Copy link
Author

stephdl commented May 30, 2018

What about OpenLDAP? Even if it does not implement TLS policy by now, did you check if it works with an ECC?

not much hints, I do not know

@DavidePrincipi DavidePrincipi mentioned this issue Jun 21, 2018
Merged
@DavidePrincipi DavidePrincipi removed their assignment Jun 21, 2018
@DavidePrincipi DavidePrincipi removed the testing Packages are available from testing repositories label Jun 21, 2018
@DavidePrincipi
Copy link
Member

Other commands for QA:

 nmap  --script ssl-enum-ciphers 192.168.122.8 -p 636
 ./testssl.sh 192.168.122.8:636

The nmap command in Fedora 28 has more detailed output than the one in CentOS7.

gsanchietti pushed a commit to NethServer/nethserver-base that referenced this issue Jun 22, 2018
@DavidePrincipi @gsanchietti
Check if the TLS policy is compatible (#124)
24de3ee 
* Check if the TLS policy is compatible

* Move inline manual to docs

NethServer/dev#5509
@nethbot
Copy link
Member

nethbot commented Jun 22, 2018

in 7.5.1804/testing:

DavidePrincipi added a commit to NethServer/nethserver-directory that referenced this issue Jun 25, 2018
@DavidePrincipi
Merge pull request #44 from DavidePrincipi/b5509
971c0c1 
TLS policy 20180621 for slapd

NethServer/dev#5509
@nethbot
Copy link
Member

nethbot commented Jun 25, 2018

in 7.5.1804/testing:

@DavidePrincipi
Copy link
Member

DavidePrincipi commented Jun 25, 2018
edited by stephdl
Loading

Test case

See also #5509 (comment)

@DavidePrincipi DavidePrincipi added the testing Packages are available from testing repositories label Jun 25, 2018
@stephdl stephdl self-assigned this Jun 25, 2018
@stephdl
Copy link
Author

stephdl commented Jun 25, 2018
edited
Loading

Tk, I need to write them to the wiki, I did a page on this topic....testssl

done https://wiki.nethserver.org/doku.php?id=testing_tls_ssl_encryption

@stephdl
Copy link
Author

stephdl commented Jun 25, 2018
edited
Loading

VERIFICATION

  • nethserver-nextcloud already released (probably in other issue)
  • nethserver-mattermost already released (probably in other issue)
  • nethserver-openldap
    a remote can authenticate with ECC certficate or a RSA cert, the mandatory is to upgrade to openldap-2.4.44 (centos7.5)
    you can see the list of cipher
  • If you install an ECC cert as default the validator check that the policy is default or 20180621

Proposed verified

DavidePrincipi added a commit to NethServer/docs that referenced this issue Jun 26, 2018
@DavidePrincipi
Describe TLS policy 2018-06-21 (#331)
5ed1bfe 
NethServer/dev#5509
@DavidePrincipi DavidePrincipi added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Jun 26, 2018
@DavidePrincipi
Copy link
Member

Pushed translations to Transifex

@nethbot
Copy link
Member

nethbot commented Jun 26, 2018

in 7.5.1804/updates:

@nethbot
Copy link
Member

nethbot commented Jun 26, 2018

in 7.5.1804/updates:

@nethbot
Copy link
Member

nethbot commented Jun 26, 2018

in 7.5.1804/updates:

@nethbot
Copy link
Member

nethbot commented Jun 26, 2018

in 7.5.1804/updates:

@nethbot
Copy link
Member

nethbot commented Jun 26, 2018

in 7.5.1804/updates:

@nethbot
Copy link
Member

nethbot commented Jun 26, 2018

in 7.5.1804/updates:

@DavidePrincipi
Copy link
Member

Packages released

@DavidePrincipi DavidePrincipi added this to the NSW18.26 milestone Jul 2, 2018
@DavidePrincipi DavidePrincipi mentioned this issue May 20, 2020
Closed
10 tasks
@DavidePrincipi DavidePrincipi mentioned this issue May 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
None yet
Milestone
NSW18.26
Development

No branches or pull requests
3 participants
@DavidePrincipi @stephdl @nethbot