Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Security issue (Kerio not using contemporary key exchange algorithm)
  •  
NoTweet

Messages: 7
Karma: 0
Send a private message to this user
If watching the news, secure communication should be top priority these days, but Kerio seems not be utilizing the available encryption features. Instead it is encrypting every session with the same static key, so that the recorded traffic between the client and the Kerio server can be completely decrypted afterwards once the private key is cracked or become known.

Checked with openssl:

openssl s_client -connect [mailserver]:443
openssl s_client -connect [mailserver]:993
openssl s_client -connect [mailserver]:587
openssl s_client -starttls smtp -connect [mailserver]:587

-> Nothing but plain old rsa.

When trying to force DH with
openssl s_client -cipher 'ECDH:DH' -connect [mailserver]:443
Kerio clearly states:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724
and
Secure Renegotiation IS NOT supported

That surely paints a smile on the face of some agencies.

Is there an option in the config file to activate an up to date key exchange or are we doomed to use outdated security concepts?

And by the way: KOFF is still not checking server certificates. Why is that? Same reason why Kerio is ignoring forwarded secrecy?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Support for DH is available in Kerio Connect 8.2 beta.
  •  
NoTweet

Messages: 7
Karma: 0
Send a private message to this user
Glad to hear that.

What about KOFF in 8.2?
Will it utilize DH?
Will it check the server certificate?
Previous Topic: Before Setting Up Kerio Connect offline
Next Topic: WAN users stuck in work offline
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 16 23:56:27 CEST 2017

Total time taken to generate the page: 0.00416 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.