|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
"Exchange 2003 SSL/TLS issues" revisited
From: Ed Ray (secadmin
netsecdesign.com)
Date: Tue Dec 05 2006 - 23:54:38 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
A few weeks ago, Victor Duchovni and others on this newsgroup helped me
to debug an encryption issue regarding communications between a Postfix
front-end mail gateway and Exchange 2003 back-end mail server. The
problem was found to be how Microsoft implements FIPS encryption. The
solution found was to use RC4/MD5 encryption for communications between
Postfix and Exchange 2003. To do this no change on the postfix side was
necessary, but on the Exchange side one had to disable the use of FIPS
encryption.
I reported this issue to Microsoft; this apparently affects more than
just Exchange, see below. For those besides me using a Postfix/Exchange
solution, this problem will be fixed sometime in Q1 2007.
Edward W. Ray
From: Scott Oseychik [mailto:scottosmicrosoft.com]
Sent: Monday, December 04, 2006 1:05 PM
To: Edward W. Ray
Subject: Microsoft Exchange Escalation - SRX061026600616, "Exchange 2003
SSL/TLS"
Hi Edward,
Short story: We're going to fix it. :-)
Long story: As you originally suspected, this will have to be fixed at
the OS level; specifically in schannel.dll. Basically, the bug is
manifesting itself due to a lack of support for the following ciphers
(in both Windows XP and Windows 2003):
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
No amount of tweaking Exchange and/or SMTP code is going to resolve the
fact that our underlying ciphers aren't present, which is preventing us
from communicating with Postfix at a high-cipher level. Although it is
[unfortunately] too late to incorporate this change into Windows 2003
SP2, this is being addressed and targeted for Windows 2003 SP3 (note: it
is currently fixed in "Longhorn" Server). Additionally, I'm requesting
to get this functionality packaged as a Windows 2003 Post-SP2 hotfix, so
we can get Exchange 2003 using high ciphers sooner rather than later.
One thing to note: It's not only Exchange 2003 that is suffering from
this, but Exchange 2007 (including Unified Messaging), Office
Communication Server, Office Communicator, and LiveMeeting. Needless to
say, this issue has broad visibility across several product groups
within Microsoft, and fixing this expeditiously is definitely in
everybody's best interest.
I wish I could give you a better timeframe as to when you can expect a
tangible hotfix that will address this issue, but at this point, it's
too early to tell. Once Windows 2003 SP2 has shipped, I should be able
to get a much clearer release schedule from Windows Development.
Kind Regards,
-scott
Scott Oseychik
Escalation Engineer (Exchange)
Microsoft Corporation
E-Mail: scottosmicrosoft.com
Office: 980-776-9670
Mobile: 704-634-5529
-------------------------------------------------------------
This mail was scanned by BitDefender
For more informations please visit http://www.bitdefender.com
-------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]