Enhancing SSL Security

Revision as of 11:55, 19 September 2014 by Dweuthen (talk | contribs) (Dweuthen moved page Enhancing Security to Enhancing SSL Security without leaving a redirect)

+++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++

While setup and configuration of MailStore SPE is just a matter of minutes when sticking to the defaults, additional actions can be taken to enhance the overall security of MailStore Service Provider Edition. These are explained in the following sections.

Harding SSL

Harding SSL consist of mainly of disabling insecure ciphers and hashes as well as prioritize cipher suites that allow the use of Perfect Forward Secrecy.

As all components of the MailStore Service Provider Edition rely on the Windows' security support provider (SSP) called Secure Channel (also known as Schannel), a number of registry keys have to be created or modified to disable insecure ciphers and hashes. Although Microsoft's Technet article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll describes in detail which registry keys are responsible for the security provider settings, it is not recommended to manually change these keys. A safer way to adjust the Schannel settings for server applications is Nartac Software's IIS Crypto tool.

Recommended Settings

The highest level of security can be achieved with the following settings in IIS Crypto. Be aware that this will prevent Windows XP clients from connecting. If support for Windows XP is mandatory, use the Best Practice template of IIS Crypto which re-enables some weaker ciphers.

Protocols Enabled TLS 1.0
TLS 1.1
TLS 1.2
Ciphers Enabled AES 128/128
AES 256/256
Hashes Enabled SHA
Key Exchange Enabled Diffie-Hellman
PKCS
SSL Cipher Suite Order TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA

Retrieved from "https://help.mailstore.com/en/spe/index.php?title=Enhancing_SSL_Security&oldid=1124"