Disable SSL/TLS renegotiation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable SSL/TLS renegotiation

Viktor Schneider
Hello postfix-users,

While checking the SSL configuration of a Postfix server, I noticed that so-called "Client-initiated secure renegotiation" is available at Postfix by default.
You can verify it with following openssl command and press "R" once the connection is successfully established:

openssl s_client -connect <hostname/IP>:25 -starttls smtp

250 DSN
R
RENEGOTIATING
depth=2 C = US, O = XXX, OU = www.xxx.com, CN = XXX Root CA
verify return:1
depth=1 C = US, O = XXX, OU = www.xxx.com, CN = XXX Server CA
verify return:1
depth=0 C = XX, ST = XXX, L = XXX, O = XX, CN = XXX
verify return:1

The problem with SSL renegotiation in association with DoS attacks is already known. You can find a lot of information on the Internet, but mostly related to HTTPS.

https://blog.qualys.com/ssllabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks

There is also a modified version of a well known exploit that performs the same attack against SMTP (STARTTLS) protocol. It establishes several connections and initiates the renegotiation several times.
I ran this exploit against a postfix server. It was possible to increase the load significantly with only 30 threads:
- Attackers client with 1 core CPU and 0,60 load average during the attack. (30 SMTP connections)
- Target server with 4 core CPU and 17.0 load average during the attack. (30 SMPT connections)

Are there already plans to make "Client-initiated secure renegotiation" support in Postfix disengageable? I would very much appreciate it if I could switch off this function.

Best regards,

Viktor

Reply | Threaded
Open this post in threaded view
|

Re: Disable SSL/TLS renegotiation

Viktor Dukhovni
On Wed, Jul 11, 2018 at 03:27:05PM +0200, Viktor Schneider wrote:

> While checking the SSL configuration of a Postfix server, I noticed that
> so-called "Client-initiated secure renegotiation" is available at
> Postfix by default.
> You can verify it with following openssl command and press "R" once the
> connection is successfully established:

When you configure TLS handshake rate limits, they apply equally
to new connections and renegotiation.  If you don't configure TLS
handshake rate limits, it is not clear why you'd want to restrict
renegotiation, unless you're trying to use connection rate limits
as a proxy for TLS rate limits.

> Are there already plans to make "Client-initiated secure renegotiation"
> support in Postfix disengageable? I would very much appreciate it if I
> could switch off this function.

You can rate limit non-resumption TLS handshakes:

    http://www.postfix.org/postconf.5.html#smtpd_client_new_tls_session_rate_limit

If you're linking against OpenSSL 1.1.0h or later, you can set the
SSL_OP_NO_RENEGOTIATION SSL option:

    http://www.postfix.org/postconf.5.html#tls_ssl_options

    tls_ssl_options = 0x40000000

That value of 0x40000000 has a completely different effect in OpenSSL
1.0.x (which is not ABI-compatible with OpenSSL 1.1.x), where it
set the

    SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

option, and has no effect with OpenSSL 1.1.0 at patch levels lower
than "h".  So do not do this with earlier OpenSSL releases.
The latest patch release is OpenSSL 1.1.0i.

You best bet is the TLS session rate limit.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Disable SSL/TLS renegotiation

Viktor Dukhovni
On Wed, Jul 11, 2018 at 10:04:30AM -0400, Viktor Dukhovni wrote:

> On Wed, Jul 11, 2018 at 03:27:05PM +0200, Viktor Schneider wrote:
>
> > While checking the SSL configuration of a Postfix server, I noticed that
> > so-called "Client-initiated secure renegotiation" is available at
> > Postfix by default.
> > You can verify it with following openssl command and press "R" once the
> > connection is successfully established:
>
> When you configure TLS handshake rate limits, they apply equally
> to new connections and renegotiation.  If you don't configure TLS
> handshake rate limits, it is not clear why you'd want to restrict
> renegotiation, unless you're trying to use connection rate limits
> as a proxy for TLS rate limits.

It seems I misremebered, post-STARTTLS renegotiation is not subjected
to anvil rate limits.  I'd need to find the right OpenSSL callback
to hook into the server processing of client TLS HELLO requests and
turn them down if the rate is too high.  This is not presently
implemented.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Disable SSL/TLS renegotiation

Viktor Schneider
>> It seems I misremebered, post-STARTTLS renegotiation is not subjected
>> to anvil rate limits.  I'd need to find the right OpenSSL callback
>> to hook into the server processing of client TLS HELLO requests and
>> turn them down if the rate is too high.  This is not presently
>> implemented.

Maybe it would be helpful to have an switch off option.
The google mailrelays do not accept renegotiation requests either.
The meaning of bit-mask 0x40000000 is not clear without documentation.

Thank you very much.