dane/dnssec/tls testing in the go6lab
Post on 01-Jan-2017
230 Views
Preview:
TRANSCRIPT
DANE/DNSSEC/TLSTestingintheGo6lab
JanŽorž,InternetSocietyjan@go6.si
zorz@isoc.org
Acknowledgement
IwouldliketothankInternetSocietytoletmespendsomeofmyISOCworkingtimeingo6labandtestallthisnewandexcitingprotocolsandmechanismsthatmakesInternetabitbetterandmoresecureplace…
DNSSECimplementationingo6lab
IninterestoftimeI’llskipalltheDNSSECimplementationslidesasweareintheNetherlandsandyoumostprobablyknowallthisstuffalreadyJ
Let’sjustassumethatDNSSECingo6labworks,domainsaresignedandDSkeyspublished.
DANEexperiment
• WhenDNSSECwassetupandfunctioningwestartedtoexperimentwithDANE(DNSAuthenticatedNameEntities).
• Requirements:– DNSSECsigneddomains– PostfixserverwithTLSsupport>2.11
• WedecidedonPostfix3.0.1
DANE• TLSArecordformx.go6lab.si
_25._tcp.mx.go6lab.si.INTLSA311B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC25908DA05E2A84748ED
It’s basically apublic key fingerprint oftheTLSself-signedcertificate onmx.go6lab.siserver.
More about DANE:http://www.internetsociety.org/deploy360/resources/dane/
WhatisDANEandhowdoesitwork
DANEverification
• Mx.go6lab.siwasabletoverifyTLScerttoT-2mailserverandnlnet-labsandsomeothers…
mx postfix/smtp[31332]: Verified TLS connection established to smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
dicht postfix/smtp[29540]: Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Postfixconfigsmtpd_use_tls =yessmtpd_tls_security_level =maysmtpd_tls_key_file =/etc/postfix/ssl/server.pemsmtpd_tls_cert_file =/etc/postfix/ssl/server.pemsmtpd_tls_auth_only =nosmtpd_tls_loglevel =1smtpd_tls_received_header =yessmtpd_tls_session_cache_timeout =3600ssmtp_tls_security_level =danesmtp_use_tls =yessmtp_tls_note_starttls_offer =yessmtp_tls_loglevel =1tls_random_exchange_name =/var/run/prng_exchtls_random_source =dev:/dev/urandomtls_smtp_use_tls =yes
1MtopAlexadomainsandDANE
• Wefetchedtop1millionAlexa domainsandcreatedascriptthatsentanemailtoeachofthem(test-dnssec-dane@[domain])
• Aftersometweakingofthescriptwegotsomegoodresults
• Thenwebuiltascriptthatparsedmaillogfileandherearetheresults:
Results
• Outof1milliondomains,992,232ofthemhadMXrecordandmailserver.
• Nearly70%(687,897)ofallattemptedSMTPsessionstoAlexa top1milliondomainsMXrecordswereencryptedwithTLS
• MajorityofTLSconnections(60%)wereestablishedwithtrustedcertificate
• 1,382connectionswhereremotemailserverannouncedTLScapabilityfailedwith"CannotstartTLS:handshakefailure"
MoreresultsTLSestablishedconnectionsratiosare:
Anonymous:109.753Untrusted:167.063Trusted:410.953Verified:128
Quickguide:Anonymous(opportunisticTLSwithnosignature),Untrusted(peercertificatenotsignedbytrustedCA),Trusted(peercertificatesignedbytrustedCA)andVerified(verifiedwithTLSAbyDANE).
DANEVerified
Verified:128!!!
Maildistribution
Mail Servers #DomainsHandled TLSState
google.com 125,422 Trusted
secureserver.net 35,759 SomeTrusted,somenoTLSatall
qq.com 11,254 NoTLS
Yandex.ru 9,268 Trusted
Ovh.net 8.531 MostTrusted, withredirectservershavingnoTLSatall
Maildistribution
Mail Servers #DomainsHandled TLSState
Emailsrvr.com 8,262 Trusted
Zohomail.com 2.981 Trusted
Lolipop.jp 1.685 NoTLS
Kundenserver.de 2,834 Trusted
Gandi.net 2,200 Anonymous
DNSSEC?DANE?
Noneofthese“big”mailservers(andtheirdomains)areDNSSECsigned(thatmeantnoDANEatallfortheircustomerspossible- uptoJanuary
2016).
MalformedTLSArecord• WecreatedaTLSArecordwithabadhash(onecharacterchanged)
• Postfixfailedtoverifyitandrefusedtosendamessage
mx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not trusted
• Ofcourse,withwrongcertificatehashinTLSArecord(refusestosendmail)
• IfdomainwhereMXrecordresidesisnotDNSSECsigned(can’ttrustthedatainMX,sonoverification)
• IfTLSArecordpublishedinnon-DNSSECzone(can’ttrustthedatainTLSA,sonoverification)
WhendoDANEthingsfail?
• go6lab.sizoneissigned,soismx.go6lab.si• thereisTLSAformx.go6lab.si,alsosigned• Domainsigned.si issignedandMXpointstomx.go6lab.si
• Domainnot-signed.si isnotsignedandMXpointstomx.go6lab.si
• Wesendemailtojan@signed.si andjan@not-signed.si (signed.si andnot-signed.si areusedjustasexamples)
Whendothingsfail?(example)
WhenIsendemailtojan@signed.si (signeddomain):
Verified TLSconnectionestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:
WhenIsendemailtojan@not-signed.si (notsigneddomain):
Anonymous TLSconnectionestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:
Whendothingsfail?(example)
• Let’strytopointMXrecordfromsigneddomaintoA/AAAArecordinnot-signeddomainwithTLSAthatisalsonotsigned(obviously)– mail.not-signed.si
Sendmailtojan@signed.si whenMXforsigned.sipointstomail.not-signed.si – DANEverificationisnotevenstartedaschainoftrustisbroken
WhendoDANEverificationalsofail?
postfix-3.1-20160103/HISTORY:20160103
Feature:enableDANEpolicieswhenanMXhosthasasecureTLSADNSrecord,eveniftheMXDNSrecordwasobtainedwithinsecurelookups.TheexistenceofasecureTLSArecordimpliesthatthehostwantstotalkTLSandnotplaintext.Thisbehavioriscontrolledwithsmtp_tls_dane_insecure_mx_policy(default:"dane",othersettings:"encrypt"and"may";thelatterisbackwards-compatiblewithearlierPostfixreleases).ViktorDukhovni.
PostfiximprovementsJ
Let’sEncrypt,DANEandmail• Let’sEncryptrecommendsusing‘211’and‘311’records• ValidityofLEcertis90days• Bydefaulttheunderlyingkeyischangedwhenrenewing• …soalsocerthashischanged• So,lot’sofworkifyouplantopublish311TLSA• usingthe‘211’methodleadstoanotherissue– namelylack
ofanDSTRootCAX3certificateinthefullchain.pem fileprovidedbytheLet’sEncryptclient
• SoweneedtofetchtheDSTRootCAX3certificateandaddittofullchain.pem fileandverifythatitdidnotchangefromprevioustimewerenewed…
ScripttoaddDSTRootCAX3
lynx--sourcehttps://www.identrust.com/certificates/trustid/root-download-x3.html|grep -v"\/textarea"|awk '/textarea/{x=NR+18;next}(NR<=x){print}'|sed -e'1i-----BEGINCERTIFICATE-----\'|sed -e'$a-----ENDCERTIFICATE-----\'>>/etc/letsencrypt/live/mx.go6lab.si/fullchain.pem
Valid311and211TLSArecords
But…• Atnextcertificaterenew,bydefaultunderlyingkeywillchangeand311TLSArecordwillbecomeinvalid…
• Laborwise,weneedtokeeptheunderlyingkeythroughtherenewals
• --csroptioninletsencrypt-autoclient(andalsoatcertbot-auto)
• Indirecotry“examples”thereis“generate-csr.sh”file(letsencrypt branch)
Stableunderlyingkey…
./generate-csr.sh mx.go6lab.siGeneratinga2048bitRSAprivatekey................+++..+++writingnewprivatekeyto'key.pem'-----Youcannowrun:letsencrypt auth --csr csr.der
Renewalsandhashes…• Nowweareusingthesameunderlyingkeyforautomaticrenewalsofcertificate,sohashdoesnotchangeand311TLSArecordworks.
• We’llrotatetheunderlyingkeywhenwedecidetoandbeingdrivenbyhumanintervention(andalsochangetheTLSA).
• ./certbot-autocertonly --debug--renew-by-default-astandalone--csr ./mx.go6lab.si.der–keep
• Ofcourse,weaddDSTRootCAX3certificatetofullchain.pem
Morereading:
http://www.internetsociety.org/deploy360/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/
http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
Q&A
Questions?Protests?Suggestions?Complaints?
jan@go6.sizorz@isoc.org
top related