Re: Problems with SSL [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks, Michael.


El 30/11/16 a las 06:03, Michael Menge via Info-cyrus escribió:
Hi,


Quoting Infraestructura TIC - UNNOBA via Info-cyrus <info-cyrus@xxxxxxxxxxxxxxxxxxxx>:

Hello!
I'm using cyrus on Debian vm for several years but now, SSL starts to fail:

    Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
hard-coded DH parameters
    Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]

I tried with self-signed certificates, and third-party ones, but the
result is the same.
I spent two days trying to figure out what happened, without results.

    #openssl s_client -connect mail.server.test:993 -crlf -state
    CONNECTED(00000003)
    SSL_connect:before SSL initialization
    SSL_connect:SSLv3/TLS write client hello
    SSL3 alert read:fatal:handshake failure
    SSL_connect:error in SSLv3/TLS write client hello
    140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
    40
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 176 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)

I believe the server and client have no SSL/TLS version and/or Cipher in common and
therefore can't establish an encrypted connection.

Some time ago i found an ssl server test suite https://github.com/drwetter/testssl.sh
witch tries to do what https://www.ssllabs.com/ does for web servers but for all protocols
and server not reachable form the internet.

You might want to check your server with ./testssl.sh mail.server.test:993


I tried with testssl.sh and sslscan and both tools informed that TLS was not working on Cyrus.

"  TLS renegotiation:
   Secure session renegotiation supported"

and

"
 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               not offered
 TLS 1.1             not offered
 TLS 1.2             not offered
 SPDY/NPN            (SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN          (HTTP/2 is a HTTP protocol and thus not tested here)

"


I solved it by specifying ciphers in this way (in /etc/imapd.conf):

tls_ciphers: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

instead of

tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH


And now, TLS 1.2 is working.

Thanks!









    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1480435442
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---


I'm using this versions:

cyrus-admin                           2.5.10-2
cyrus-clients                         2.5.10-2
cyrus-common                          2.5.10-2
cyrus-doc                             2.5.10-2
cyrus-imapd                           2.5.10-2
cyrus-murder                          2.5.10-2
cyrus-pop3d                           2.5.10-2
cyrus-replication                     2.5.10-2



Both, certificate and key, are accesibles by user cyrus. Certificate is
up-to-date.

This is the config:

$sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
    [...]
    tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
    tls_client_ca_dir: /etc/ssl/certs
    tls_client_ca_file: /etc/ssl/certs/cyrus.pem
    tls_server_cert: /etc/ssl/certs/cyrus.pem
    tls_server_key: /etc/ssl/private/cyrus.key
    tls_session_timeout: 0
    [...]


And before I declared myself "I'm completely lost", I was watching
entropy ... but is ok.

#cat /proc/sys/kernel/random/entropy_avail
2354



¿Any suggestions?

Thanks in advance!



Javier.-


----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus



--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail: michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübingen

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux