hMS and SSL Elliptic Curves

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

hMS and SSL Elliptic Curves

Post by ObiWan » 2015-03-11 15:39

I'm wondering if hMS may have some code blocking the use of Elliptic Curve crypto (EC); I'm writing this since I observed a quite strange behavior... but, let me start from the beginning. Having the ability to specify SSL ciphers in hMS, I decided to configure it to avoid weak and vulnerable ciphers while also leaving some backward compatibility; in my case, I used the hMS admin interface to enter the following cipher option string

Code: Select all

kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
now, feeding the very same options string into OpenSSL, that is running this command

Code: Select all

openssl ciphers -v "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED"
generated the following cipher suites list

Code: Select all

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
which is exactly the expected result; all fine till now, but then, trying to connect to hMS using, for example the command (munged the real server name) to connect to the POP3 over SSL port

Code: Select all

openssl s_client -connect mail.example.com:995
told me that the connection was using the following cipher

Code: Select all

Protocol  : TLSv1.2
Cipher    : DHE-RSA-AES256-GCM-SHA384
now, if you check the list of available ciphers (see above), you'll see that the ciphersuite is the first one coming immediately after the EC ones ! At that point I though the box may have some issues with the certificate (strange, but one can't tell for sure until checking); so, I installed stunnel, configured it and gave it the very same certificate; at that point, I issued the following command (port 12345 was my test port)

Code: Select all

openssl s_client -connect mail.example.com:12345
and the resulting cipher was the following

Code: Select all

Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
which, as you can see, tells us that we're using an EC cipher (the fact that we aren't using ECDSA is due to the certificate, but I knew it, yet, we ARE using EC); so, given the above, I wonder if hMS has some code bug or limitation or whatever which doesn't allow it to use the full cipher suites offered by a given OpenSSL configuration string

Now... is that true, or am I missing some config option (notice that I disabled SSLv3 on that box, but even enabling it doesn't make difference)

User avatar
mattg
Moderator
Moderator
Posts: 21044
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMS and SSL Elliptic Curves

Post by mattg » 2015-03-11 16:56

Just wondering if you have restarted hMailserver since setting those ciphers?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: hMS and SSL Elliptic Curves

Post by ObiWan » 2015-03-11 18:19

Yes, I did, and to be sure I even stopped the service and started it back since the built-in function which asks for a restart when you change the suite list doesn't seem to always work ok

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: hMS and SSL Elliptic Curves

Post by martin » 2015-03-14 22:48

What version are you using?

The support for elliptic curve Diffie–Hellman was introduced in hMailServer 5.6. It's not really "blocked", previous to that, more like the necessary initialization for this cipher was not implemented.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: hMS and SSL Elliptic Curves

Post by ObiWan » 2015-03-23 10:01

martin wrote:What version are you using?

The support for elliptic curve Diffie–Hellman was introduced in hMailServer 5.6. It's not really "blocked", previous to that, more like the necessary initialization for this cipher was not implemented.
Sorry for the delay; I checked the hMS version and the hMailAdmin reports 5.6-B2145 (image here src=http://postimg.org/image/fgcme63a3/) so, should it support EC ? And if yes, then I wonder why it apparently doesn't; is there something I need to configure (e.g. in "ini" file) to enable EC ?

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: hMS and SSL Elliptic Curves

Post by ObiWan » 2015-04-01 14:42

No news nor infos ? Not willing to pull someone's leg, just curious as why hMS 5.6 doesn't seem to fully support EC crypto.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: hMS and SSL Elliptic Curves

Post by martin » 2015-04-02 17:54

I just haven't had time to look into it. Will try to do it during this weekend.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: hMS and SSL Elliptic Curves

Post by martin » 2015-04-02 18:55

I took a look. Apparently support for EC ciphers is something which needed to be implemented explicitly, which I have done now. It will be included in the next 5.6.3 build.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: hMS and SSL Elliptic Curves

Post by ObiWan » 2015-04-03 09:39

martin wrote:I took a look. Apparently support for EC ciphers is something which needed to be implemented explicitly, which I have done now. It will be included in the next 5.6.3 build.
Thanks Martin; so it's due to some additional initialization steps ?!?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: hMS and SSL Elliptic Curves

Post by martin » 2015-04-03 13:07

Yes. An elliptic curve key must be created based of a specific elliptic curve (in hMailServer's case that's hardcoded to be secp256r1 (aka prime256v1)) and then linked to the SSL context when the server starts.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: hMS and SSL Elliptic Curves

Post by ObiWan » 2015-04-03 15:02

martin wrote:Yes. An elliptic curve key must be created based of a specific elliptic curve (in hMailServer's case that's hardcoded to be secp256r1 (aka prime256v1)) and then linked to the SSL context when the server starts.
D'Oh !!! You are totally right, I forgot about that step, now I see !! Well, at least, it's over now :) !

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: hMS and SSL Elliptic Curves

Post by martin » 2015-04-03 15:21

Ha. I mean that's a part of hMailServer now. Implementing these parts are not exactly intuitive.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

Post Reply