Enhancing SSL Security

Revision as of 10:38, 19 September 2014 by Dweuthen (talk | contribs) (Created page with "+++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ While setup and configuration of MailStore SPE is just a matter of minutes when sticking with the de...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

+++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++

While setup and configuration of MailStore SPE is just a matter of minutes when sticking with the defaults, additional actions can be taken to enhance the overall security of MailStore Service Provider Edition. These are explained in the following sections.

Harding SSL

Harding SSL settings consist of disabling insecure ciphers and hashes as well as prioritize cipher suites that allow the use of Perfect Forward Secrecy.

As all components of the MailStore Service Provider Edition rely on the security support provider (SSP) of the underlying Windows operating system called Secure Channel (also known as Schannel), a number of registry keys have to be created or modified to disable insecure ciphers and hashes. Although Microsoft's Technet article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll describes in detail which registry keys are responsible for the security provider settings, it is not recommended to manually change these keys. A safer way to adjust the Schannel settings for server applications is Nartac Software's IIS Crypto tool.

Recommended Settings

Highest security can be achieved with the following settings in IIS Crypto. Be aware this will prevent Windows XP clients from connecting. If support for Windows XP is mandatory, use the Best Practice template.

Protocols Enabled TLS 1.0
TLS 1.1
TLS 1.2
Ciphers Enabled AES 128/128
AES 256/256
Hashes Enabled SHA
Key Exchange Enabled Diffie-Hellman
PKCS
SSL Cipher Suite Order TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA