Ssl – Perfect Forward Secrecy (PFS) for mail servers

emailemail-serverSecurityssltls

Perfect Forward Secrecy is an important enhancement to SSL/TLS communications, helping prevent captured SSL traffic from being decrypted even if the attacker has the private key. It's easy enough to support in web servers, but it's also applicable to any other SSL context, such as in mail servers for SMTP, POP3 and IMAP.

This has recently (Sept 2014) come to a head in Germany, where data protection bodies have started inspecting and fining organisations that do not support PFS on their mail servers, along with heartbleed and poodle vulnerabilities. PFS support in web browsers is somewhat patchy, though all the major ones support it – but I'm looking for PFS compatibility info on mail servers and clients, ideally something like SSL Labs' handshake tests provide, but for mail servers.

Can anyone provide or point me at good sources for mail server PFS compatibility?

To clarify, I'm not looking to interrogate a specific server, but to see the results of such testing across a wide range of different servers, for example it would be useful to know that Outlook 2003 doesn't support ECDHE, or that Android 2 doesn't allow DH params of bigger than 2048 bits (I don't know if these are true, they're just examples). The benefit of this is to know that if I choose to disable some specific cipher, which clients is it likely to affect, just like the SSL labs tests show for web clients.

Best Answer

The benefit of this is to know that if I choose to disable some specific cipher, which clients is it likely to affect, just like the SSL labs tests show for web clients.

You don't need to restrict yourself to a specific cipher, but instead simply enable all ciphers which are acceptable to you and in the order you prefer them. The resulting cipher then will be negotiated between client and server depending on the supported ciphers on both sites. Don't restrict yourself unnecessary.

As for the ciphers typically used at the server side you might have a look at Quantifying the quality of TLS support where I've analyzed the TLS support for SMTP from the top 1M sites according to Alexa, which are about 600000 mail server with TLS enabled. According to my tests about 33% of the servers use ECDHE ciphers and 52% DHE ciphers, so that 85% use forward secrecy.

And for some more information about the ciphers used you will not find in the study here is a detailed list of ciphers negotiated when used with the DEFAULT cipher set of OpenSSL 1.0.1:

100.00%     600433 TOTAL
 29.53%     177285 DHE-RSA-AES256-GCM-SHA384
 21.20%     127304 ECDHE-RSA-AES128-GCM-SHA256
 20.62%     123804 DHE-RSA-AES256-SHA
  7.65%      45919 AES256-SHA
  6.40%      38404 ECDHE-RSA-AES256-GCM-SHA384
  4.42%      26558 AES256-GCM-SHA384
  4.36%      26189 ECDHE-RSA-AES256-SHA384
  1.76%      10586 AES128-SHA
  1.17%       7003 RC4-SHA
  0.93%       5577 DHE-RSA-AES256-SHA256
  0.90%       5389 ECDHE-RSA-AES256-SHA
  0.56%       3372 DHE-RSA-CAMELLIA256-SHA
  0.19%       1137 RC4-MD5
  0.08%        503 EDH-RSA-DES-CBC3-SHA
  0.08%        454 DES-CBC3-SHA
  0.07%        444 AES128-SHA256
  0.04%        235 DHE-RSA-AES128-GCM-SHA256
  0.01%         82 AES128-GCM-SHA256
  0.01%         59 AES256-SHA256
  0.01%         53 DHE-RSA-AES128-SHA
  0.00%         23 ECDHE-RSA-AES128-SHA
  0.00%         14 DHE-DSS-AES256-SHA
  0.00%         11 ECDHE-RSA-AES128-SHA256
  0.00%         10 ECDHE-RSA-RC4-SHA
  0.00%         10 ECDHE-RSA-DES-CBC3-SHA
  0.00%          4 DHE-DSS-AES256-GCM-SHA384
  0.00%          2 CAMELLIA256-SHA
  0.00%          1 DHE-RSA-SEED-SHA
  0.00%          1 AECDH-DES-CBC3-SHA

Background

We are mixing two different concepts a bit: the protocol and cipher suites. SSLv3 being the protocol, and forward secrecy being a trait of the negotiated cipher suite. Which cipher suites are selected depends on the client, the server, and the protocol that gets negotiated.

This means you cannot rely on the version of the protocol to decide whether or not the browser supports forward secrecy (this will probably change with TLS 1.3). SSLv3 (at least as a specification) does support some forward secrecy cipher suites, such as SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA (though in practice I don't see browsers supporting that cipher suite). That goes the same to say that a version of TLS does not mandate the use of forward secrecy.

Internet Explorer is an interesting case because it is the only major browser where the supported ciphers depends on the version of the browser and the version of Windows. This is because Internet Explorer defers all of the HTTPS negotiation and handling to a component of Windows called SChannel. In order for Internet Explorer to support a given protocol and cipher suite, SChannel needs to support it first. This makes it a little complex to say what cipher suites and protocols are supported.

There is one version of Internet Explorer that supports SSLv3, and nothing else, which is Internet Explorer 6. It remains the only browser that has a modicum of usage which does not support TLS 1.0 (that's not exactly true; IE6 does support it, it's just not enabled by default). So by going through the trouble of displaying an error page, the only browser you'd be targeting is Internet Explorer 6. I suppose other browser could disable support for all versions of TLS and leave only SSLv3 selected, but that would mean a large portion of HTTPS-enabled web sites would not work for them, as many have already completely disabled support for SSLv3. In practice, I don't think you will come across many browsers that support only SSLv3 and isn't IE 6. IE 8 on Windows XP comes with TLS 1.0 on by default, and any version of IE on Windows Vista or later supports at least TLS 1.0. Internet Explorer 11 on Windows 8 and Windows 7 support the (as of writing) latest TLS 1.2.

Showing a "Sorry, no SSLv3!" page: What could go wrong?

Getting a little closer to your question, your concern is showing a page to users whose browser wants to connect with SSLv3. There are pros and cons to this. The first, beware that SSLv3 has an issue with it called POODLE. The discovery of POODLE has let many web sites to completely shut off SSLv3 support.

This leads to a chicken-and-egg problem. If you were to redirect users based on the version of the protocol negotiated, your web server would need to support SSLv3 in the first place to detect the presence of it and serve a redirect. However doing so, you may be exposing those clients to unnecessary risk. If the server must accept the SSLv3 connect to show a page to the user that SSLv3 is not allowed, an active-attacker could use that as an opportunity to exploit the very weaknesses of SSLv3. For example, let's say a client authenticates to your website over HTTPS using TLS 1.0. IE doesn't support TLS_FALLBACK_SCSV, and an active attacker forces the browser down to SSLv3. If your site uses cookies to authenticate, the attacker has now forced the browser down to SSLv3 (which will serve your error redirect) but it could reveal the authentication cookie. Remember that once the user has their authentication cookie, browsers send those cookies along with every request. Stealing an authentication cookie is a big deal, and entirely possible in this scenario and using POODLE. So even though you are attempting to just some a simple error page, there is risk associated with supporting SSLv3.

IIS can't do this on its own

So, to your actual question. No, Internet Information Services in itself cannot redirect a request based on the SSL/TLS version or cipher suite. There may be a 3rd party module that does it, but I am not aware of one. You have a few options, though.

Could fix at load balancer

You can offload the connection to a reverse proxy that does support redirecting based on the presence of SSLv3 - I'm not aware of a way to do this based on the actual cipher suite. HAProxy is one that I know of that can - there are probably others that I am just not familiar with. I won't go into the specifics, but with HAProxy you can assign an ACL based on the SSL version like so:

acl sslv3 ssl_fc_protocol SSLv3

Once you have the ACL, you can send them to a specific backend, or process it however you want.

Could fix with own IIS module

Other options might be finding or developing your own module for IIS that can do this. IMHO, IIS doesn't have magnificent support for configuring and supporting SSL. Personally, I'd offload the SSL onto a reverse proxy, but I know that isn't for everyone.

Could fix with just disabling protocol support below TLS 1.0

Your third option is to just support only forward secrecy cipher suites and at minimum TLS 1.0. Using a cipher suite of AES128+EECDH:AES128+EDH with TLSv1, TLSv1.1, and TLSv1.2 will get your support for most browsers. The only browsers that would be left out in the cold is any Internet Explorer version on Windows XP since Windows XP doesn't support any reasonable cipher suite that supports forward secrecy. As far as I know, Windows XP only supports DHE with DSS, which is something you absolutely don't want to bother supporting.

My way: disabled SSL protocol support

The latter is the solution I have gone with. Supporting deprecated protocols and cipher suites poses a risk - even if they are there only to show an error page.

Best Answer

Related Solutions

Nginx – Forward secrecy in Nginx (CentOS6)

Ssl – configure IIS 7.5 Forward Secrecy to redirect for unsupported browsers (I.E.)