Mailing List CGatePro@mail.stalker.com Message #106746
From: Technical Support support@stalker.com <CGatePro@mail.stalker.com>
Subject: Re: Why does a freshly installed CentOS 7.4 / CommuniGate Pro 6.2.1 server only gets a Qualys SSL B grade ?
Date: Thu, 1 Feb 2018 20:00:45 +0300
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hello,

On 2018-01-30 12:47, Sérgio Araújo sergio@3gnt.net wrote:
Greetings,

Why does a freshly installed CentOS 7.4 / CommuniGate Pro 6.2.1 server only gets
a B grade with the Qualys SSL checker
<https://www.ssllabs.com/ssltest/index.html> (see attached screenshot) ?

The most likely reason is that the Diffie-Hellman key size used by default in CGPro (1024) is considered weak by this test. Though this attitude is arguable. You can increase the size with the startup parameter --DHKeySize 2240. But that increases the cost of TLS handshake, may be not supported by some clients and makes sense if you want to protect your traffic from government-level institutions. For protection against "regular" attacker (not "national powers") the standard 1024 key length is pretty much enough.

As for the quality of these tests, the site refers to CGpro SSL implementation as vulnerable to the ROBOT/Bleichenbacher attack, so in fact we believe it's not, at least since the version 6.1.6. And https://robotattack.org also does not show CGpro as vulnerable. Though we are going to re-evaluate our SSL/TLS against some less famous variants of that attack.

[root@mail ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@mail ~]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK 3gnt.net CommuniGate Pro POP3 Server 6.2.1 ready <421.1515639465@3gnt.net>

The server uses a valid Let's Encrypt certificate, and if use an Apache server
as a reverse proxy, I get an A grade, which makes me think it's something with
the CommuniGate Pro SSL implementation. However, I feel using Apache as a
reverse proxy makes no sense, since CommuniGate Pro has an embedded Web server.

How do i fix/workaround the problems reported by the Qualys SSL checker
<https://www.ssllabs.com/ssltest/index.html> ?

Regards,
-- *Sérgio Araújo*
Sócio-gerente | Director Técnico

*3GNTW | IT - Infraestruturas Tecnológicas*
sergio@3gnt.net | +351 252 377 120

Administração de Sistemas | Alojamento Web | Alta Disponibilidade | Cloud |
Consultoria | Datacenter | Domínios | Internet | Lojas Online | Messaging |
Mobilidade | Newsletters | Redes | Segurança | Telefonia IP | Virtualização |
VoIP | Websites

Visite-nos, em www.3gnt.net <http://www.3gnt.net/>!
Siga-nos no Facebook <http://www.facebook.com/3gntw>, Google+
<https://www.google.com/+3gntNet>, LinkedIn
<http://www.linkedin.com/company/3gntw>, Twitter <http://twitter.com/3gntw> e
YouTube <https://www.youtube.com/user/3gntwPT>.



#############################################################
This message is sent to you because you are subscribed to
   the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>


--
Best regards,
Dmitry Akindinov

=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your
reply.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster