Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Webmail: DoS vulnerability via client-initiated renegotiation
  •  
Silverstar

Messages: 154
Karma: 0
Send a private message to this user
Hi folks,

scanning the webmail on KO 8.1.3 via https://www.ssllabs.com/ssltest/index.html reports that it is "easier to attack via DoS because it supports client-initiated renegotiation".

See: https://community.qualys.com/blogs/securitylabs/2011/10/31/t ls-renegotiation-and-denial-of-service-attacks

Maybe this should be fixed?

Greetz
Silverstar
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
Hi Silverstar,

This issue is addressed in Kerio Connect 8.2, which should be released shortly.

Best regards,

Neil.

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
Silverstar

Messages: 154
Karma: 0
Send a private message to this user
Hi Neil,

glad to head that.

Cheers
Silverstar
  •  
ikheetleon

Messages: 67
Karma: -1
Send a private message to this user
Is this really fixed in 8.2.1? I still get the warning while running version 8.3.1?

Regards,

Leon
  •  
ikheetleon

Messages: 67
Karma: -1
Send a private message to this user
Still no fix in 8.3.3!!! This issue is open for more than a year... wow. Mad

Also TLS_FALLBACK_SCSV is not supported.

Please have this fixed asap so we all get nice green A+ reports on Qualys.

https://www.ssllabs.com/ssltest/

[Updated on: Thu, 23 October 2014 11:39]

  •  
Pavel Dobry (Kerio)

Messages: 5222
Karma: 251
Send a private message to this user
TLS_FALLBACK_SCSV is supported in Kerio Connect 8.3.4: http://forums.kerio.com/t/28184//
  •  
ikheetleon

Messages: 67
Karma: -1
Send a private message to this user
You are right about TLS_FALLBACK_SCSV in version 8.3.4 which came out today. I've just upgraded and that's fixed now. But how about the Secure Client-Initiated Renegotiation?
  •  
Pavel Dobry (Kerio)

Messages: 5222
Karma: 251
Send a private message to this user
Secure Client-Initiated Renegotiation is not disabled because it is not supported by OpenSSL library. We are working on a solution.
  •  
gommog

Messages: 8
Karma: -3
Send a private message to this user
Pavel Dobry (Kerio) wrote on Thu, 23 October 2014 12:51
Secure Client-Initiated Renegotiation is not disabled because it is not supported by OpenSSL library. We are working on a solution.


So has any solution been found? It's quite some time to have your product out on the market without a solution to this known vulnerability.
  •  
Agador

Messages: 40
Karma: 3
Send a private message to this user
Two Questions:

What version of OpenSSL is KMS 8.5.3 using??

Why is there not a variable in "mailserver.cfg" for "Secure Client-Initiated Renegotiation" or better yet, why is "Secure Client-Initiated Renegotiation" not set to disable "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION"

This from the openSSL.org website regarding RENEGOTIATION:

SECURE RENEGOTIATION

OpenSSL always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.

The deprecated and highly broken SSLv2 protocol does not support renegotiation at all: its use is strongly discouraged.

This attack has far reaching consequences which application writers should be aware of. In the description below an implementation supporting secure renegotiation is referred to as patched. A server not supporting secure renegotiation is referred to as unpatched.

Please advise!

Jim
  •  
Agador

Messages: 40
Karma: 3
Send a private message to this user
FYI... Qualys still shows KMS 8.5.3 as " Secure Client-Initiated Renegotiation Supported DoS DANGER (more info) "

Please advise!

Jim
Previous Topic: OS X Server web proxy and Kerio Connect
Next Topic: How to import SSL Certificate?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Apr 23 19:38:39 CEST 2017

Total time taken to generate the page: 0.02272 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.