X-Junk-Score:   0 []
X-KAS-Score:   0 []
From: "=?UTF-8?B?U8OpcmdpbyBBcmHDumpv?= sergio@3gnt.net" <CGatePro@list.communigate.ru>
Received: from [193.227.239.7] (HELO 3gnt.net)
  by list.communigate.ru (CommuniGate Pro SMTP 6.3.11)
  with ESMTPS id 60512850 for CGatePro@list.communigate.ru; Wed, 27 Apr 2022 13:10:42 +0300
Received-SPF: pass
 receiver=mail.communigate.ru; client-ip=193.227.239.7; envelope-from=sergio@3gnt.net
X-Virus-Scanned: by cgpav
Received: from internal.domain; Wed, 27 Apr 2022 11:10:29 +0100
Message-ID: <ed55d3d3-b42b-1754-0758-c82b3e661c5b@3gnt.net>
Date: Wed, 27 Apr 2022 11:10:29 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.8.1
Subject: Re: [CGP] Qualys "This server does not support Forward Secrecy with
 the reference browsers. Grade capped to B." problem - Case[AA7Q0427-953ID]
Content-Language: pt_PT
To: CommuniGate Pro Russian Discussions <CGatePro@list.communigate.ru>
References: <list-60511823@mail.communigate.ru>
 <list-60511917@mail.communigate.ru>
Organization: =?UTF-8?Q?3GNTW_-_Tecnologias_de_Informa=c3=a7=c3=a3o=2c_Lda?=
In-Reply-To: <list-60511917@mail.communigate.ru>
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html data-lt-installed="true">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font face="Segoe UI">Hi,</font><br>
    <br>
    <div class="moz-cite-prefix">On 27/04/2022 07:09, Dmitry Akindinov
      <a class="moz-txt-link-abbreviated" href="mailto:dimak@communigate.ru">dimak@communigate.ru</a> wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:list-60511917@mail.communigate.ru">Hello,
      <br>
      <br>
      On 2022-04-27 06:18, Sérgio Araújo <a class="moz-txt-link-abbreviated" href="mailto:sergio@3gnt.net">sergio@3gnt.net</a> wrote:
      <br>
      <blockquote type="cite">Greetings,
        <br>
        <br>
        Why does a freshly installed CentOS 7.9 / CommuniGate Pro 6.3.11
        server only gets a B grade with the Qualys SSL checker
        <a class="moz-txt-link-rfc2396E" href="https://www.ssllabs.com/ssltest/index.html">&lt;https://www.ssllabs.com/ssltest/index.html&gt;</a> (see attached
        screenshot) ?
        <br>
      </blockquote>
      <br>
      The way they assign grades after their tests is questionable. For
      example to test for some vulnerabilities they would simply check
      the alert code recieved on connection termination witth a break-in
      attempt: if it's not the one they expect they would consider the
      implementation vulnerable, without more checks, regardless the
      fact that unsafe connection was terminated. If they see the older
      or weaker algorithms supported, they would cap your grade - even
      when those weaker algorithms are safer with oledr TLS versions and
      client would normally select the strongest suite presented by the
      server. As for this particular "forward secrecy" - this should be
      about ECDH(E) suits and the DH key size. CGPro supports ECDH
      (long-term DH pair) but not the Ephemeral ECDH (when DH pair is
      re-generated for every exchange in a TLS session), as that would
      require much more CPU for the multiple connections the server
      should be able to endure. The default DH key size is also
      considered too short by these tests: 6.3 uses 1536 by default,
      which is cobsidered effective against all but state-level attacks,
      but can be increased by a command-line parameter.
      <br>
      <br>
      We plan to support TLS 1.3 and EC certificates in future versions.
      Not sure if ECDHE is that important for what most use as a mail
      server.
      <br>
      <br>
      []
      <br>
      <br>
      <blockquote type="cite">
        <br>
        The server uses a valid SSL certificate, and if use an Apache
        server as a reverse proxy, I get an A grade, which makes me
        think it's something with the CommuniGate Pro SSL
        implementation. However, I feel using Apache as a reverse proxy
        makes no sense, since CommuniGate Pro has an embedded Web
        server.
        <br>
      </blockquote>
      <br>
      Well, when you need a web server, you use a web server. CGPro may
      be enough to serve its interfaces and home pages, but for a high
      load web site I would use apache or nginx anyway.
      <br>
      <br>
      <blockquote type="cite">How do i fix/workaround the "/This server
        does not support Forward Secrecy with the reference browsers.
        Grade capped to B./" problem reported by the Qualys SSL checker
        <a class="moz-txt-link-rfc2396E" href="https://www.ssllabs.com/ssltest/index.html">&lt;https://www.ssllabs.com/ssltest/index.html&gt;</a> ?
        <br>
      </blockquote>
      <br>
      The short answer is "you can't do that now".
      <br>
      <br>
      Well, generally hunting for a higher grade without understanding
      their meaning is not a good idea. The "forward secrecy" thing
      (ECDH) is the protection against decoding your traffic collected
      at full in the past with the certificate private key compromised
      in future. Every session is encrypted by a key unique for that
      session and it's _very_ hard to derive that key even if the
      certificate was compromised. But it's still possible for agencys
      with lots of CPU power to brute force for finding the actual
      session key and decode that session traffic. The "perfect forward
      secrecy" (ECDHE) reduces the prize for that brute force attack:
      not the entire session but only some shorter exchange can be
      decoded.
      <br>
      So, even with "imperfect forward secrecy" your traffic is well
      protected. Is protecting mail server traffic from an attack that
      is possible mostly in theory really worth of investing much more
      CPU power?<br>
    </blockquote>
    <br>
    Thanks for the clarification.<br>
    <br>
    Regards,<br>
    <div class="moz-signature"
      signature-switch-id="46fdd3d5-7fc6-4a53-bdbc-1f58c1353c40"><font
        style="font-size:11.0pt" face="Segoe UI Light"> --<br>
        <b>Sérgio Araújo</b><br>
        Partner | CTO<br>
        <br>
        <b>3GNTW | IT - Technology Infrastructure</b>
      </font><br>
      <font style="font-size:11.0pt" face="Segoe UI Light">
        <a class="moz-txt-link-abbreviated" href="mailto:sergio@3gnt.net">sergio@3gnt.net</a> | +351 252 377 120<br>
        <br>
        Cloud | Consultancy | Datacenter | Domains | High Availability |
        Internet | IP Telephony | Messaging | Mobility | Networking |
        Newsletters | Online Shops | Security | System Administration |
        Virtualization | VoIP | Web Hosting | Websites<br>
        <br>
        Visit us at <a href="http://www.3gnt.net/">www.3gnt.net</a>!<br>
        Follow us at <a href="http://www.facebook.com/3gntw">Facebook</a>,
        <a href="http://www.linkedin.com/company/3gntw">LinkedIn</a>, <a
          href="http://twitter.com/3gntw">Twitter</a> and <a
          href="https://www.youtube.com/user/3gntwPT">YouTube</a>.
      </font></div>
  </body>
  <lt-container></lt-container>
</html>