<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Thanks, Michael.<br>
      <br>
      <br>
      El 30/11/16 a las 06:03, Michael Menge via Info-cyrus escribió:<br>
    </div>
    <blockquote
cite="mid:20161130100341.Horde.z9-G1D2VPB8LgBZutnsY9BE@webmail.uni-tuebingen.de"
      type="cite">Hi,
      <br>
      <br>
      <br>
      Quoting Infraestructura TIC - UNNOBA via Info-cyrus
      <a class="moz-txt-link-rfc2396E" href="mailto:info-cyrus@lists.andrew.cmu.edu"><info-cyrus@lists.andrew.cmu.edu></a>:
      <br>
      <br>
      <blockquote type="cite">Hello!
        <br>
        I'm using cyrus on Debian vm for several years but now, SSL
        starts to fail:
        <br>
        <br>
            Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
        <br>
        hard-coded DH parameters
        <br>
            Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS
        negotiation
        <br>
        failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]
        <br>
        <br>
        I tried with self-signed certificates, and third-party ones, but
        the
        <br>
        result is the same.
        <br>
        I spent two days trying to figure out what happened, without
        results.
        <br>
        <br>
            #openssl s_client -connect mail.server.test:993 -crlf -state
        <br>
            CONNECTED(00000003)
        <br>
            SSL_connect:before SSL initialization
        <br>
            SSL_connect:SSLv3/TLS write client hello
        <br>
            SSL3 alert read:fatal:handshake failure
        <br>
            SSL_connect:error in SSLv3/TLS write client hello
        <br>
            140019483313280:error:14094410:SSL
        routines:ssl3_read_bytes:sslv3
        <br>
        alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert
        number
        <br>
            40
        <br>
            ---
        <br>
            no peer certificate available
        <br>
            ---
        <br>
            No client certificate CA names sent
        <br>
            ---
        <br>
            SSL handshake has read 7 bytes and written 176 bytes
        <br>
            Verification: OK
        <br>
            ---
        <br>
            New, (NONE), Cipher is (NONE)
        <br>
      </blockquote>
      <br>
      I believe the server and client have no SSL/TLS version and/or
      Cipher in common and
      <br>
      therefore can't establish an encrypted connection.
      <br>
      <br>
      Some time ago i found an ssl server test suite
      <a class="moz-txt-link-freetext" href="https://github.com/drwetter/testssl.sh">https://github.com/drwetter/testssl.sh</a>
      <br>
      witch tries to do what <a class="moz-txt-link-freetext" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a> does for web
      servers but for all protocols
      <br>
      and server not reachable form the internet.
      <br>
      <br>
      You might want to check your server with ./testssl.sh
      mail.server.test:993
      <br>
      <br>
    </blockquote>
    <br>
    I tried with testssl.sh and sslscan and both tools informed that TLS
    was not working on Cyrus. <br>
    <br>
    "  TLS renegotiation:<br>
       Secure session renegotiation supported"<br>
    <br>
    and<br>
    <br>
    "<br>
     Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) <br>
    <br>
     SSLv2               not offered (OK)<br>
     SSLv3               not offered (OK)<br>
     TLS 1               not offered<br>
     TLS 1.1             not offered<br>
     <b>TLS 1.2             not offered</b><br>
     SPDY/NPN            (SPDY is an HTTP protocol and thus not tested
    here)<br>
     HTTP2/ALPN          (HTTP/2 is a HTTP protocol and thus not tested
    here)<br>
    <br>
    "<br>
    <br>
    <br>
    I solved it by specifying ciphers in this way (in /etc/imapd.conf):<br>
    <br>
    tls_ciphers:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA<br>
    <br>
    instead of<br>
    <br>
    tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH<br>
    <br>
    <br>
    And now, TLS 1.2 is working. <br>
    <br>
    Thanks!<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <blockquote
cite="mid:20161130100341.Horde.z9-G1D2VPB8LgBZutnsY9BE@webmail.uni-tuebingen.de"
      type="cite">
      <br>
      <blockquote type="cite">    Secure Renegotiation IS NOT supported
        <br>
            Compression: NONE
        <br>
            Expansion: NONE
        <br>
            No ALPN negotiated
        <br>
            SSL-Session:
        <br>
                Protocol  : TLSv1.2
        <br>
                Cipher    : 0000
        <br>
                Session-ID:
        <br>
                Session-ID-ctx:
        <br>
                Master-Key:
        <br>
                PSK identity: None
        <br>
                PSK identity hint: None
        <br>
                SRP username: None
        <br>
                Start Time: 1480435442
        <br>
                Timeout   : 7200 (sec)
        <br>
                Verify return code: 0 (ok)
        <br>
                Extended master secret: no
        <br>
            ---
        <br>
        <br>
        <br>
        I'm using this versions:
        <br>
        <br>
        cyrus-admin                           2.5.10-2
        <br>
        cyrus-clients                         2.5.10-2
        <br>
        cyrus-common                          2.5.10-2
        <br>
        cyrus-doc                             2.5.10-2
        <br>
        cyrus-imapd                           2.5.10-2
        <br>
        cyrus-murder                          2.5.10-2
        <br>
        cyrus-pop3d                           2.5.10-2
        <br>
        cyrus-replication                     2.5.10-2
        <br>
        <br>
        <br>
        <br>
        Both, certificate and key, are accesibles by user cyrus.
        Certificate is
        <br>
        up-to-date.
        <br>
        <br>
        This is the config:
        <br>
        <br>
        $sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
        <br>
            [...]
        <br>
            tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
        <br>
            tls_client_ca_dir: /etc/ssl/certs
        <br>
            tls_client_ca_file: /etc/ssl/certs/cyrus.pem
        <br>
            tls_server_cert: /etc/ssl/certs/cyrus.pem
        <br>
            tls_server_key: /etc/ssl/private/cyrus.key
        <br>
            tls_session_timeout: 0
        <br>
            [...]
        <br>
        <br>
        <br>
        And before I declared myself "I'm completely lost", I was
        watching
        <br>
        entropy ... but is ok.
        <br>
        <br>
        #cat /proc/sys/kernel/random/entropy_avail
        <br>
        2354
        <br>
        <br>
        <br>
        <br>
        ¿Any suggestions?
        <br>
        <br>
        Thanks in advance!
        <br>
        <br>
        <br>
        <br>
        Javier.-
        <br>
        <br>
        <br>
        ----
        <br>
        Cyrus Home Page: <a class="moz-txt-link-freetext" href="http://www.cyrusimap.org/">http://www.cyrusimap.org/</a>
        <br>
        List Archives/Info:
        <a class="moz-txt-link-freetext" href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a>
        <br>
        To Unsubscribe:
        <br>
        <a class="moz-txt-link-freetext" href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a>
        <br>
      </blockquote>
      <br>
      <br>
      <br>
--------------------------------------------------------------------------------
      <br>
      M.Menge                                Tel.: (49) 7071/29-70316
      <br>
      Universität Tübingen                   Fax.: (49) 7071/29-5912
      <br>
      Zentrum für Datenverarbeitung          mail:
      <a class="moz-txt-link-abbreviated" href="mailto:michael.menge@zdv.uni-tuebingen.de">michael.menge@zdv.uni-tuebingen.de</a>
      <br>
      Wächterstraße 76
      <br>
      72074 Tübingen
      <br>
      <br>
      ----
      <br>
      Cyrus Home Page: <a class="moz-txt-link-freetext" href="http://www.cyrusimap.org/">http://www.cyrusimap.org/</a>
      <br>
      List Archives/Info:
      <a class="moz-txt-link-freetext" href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a>
      <br>
      To Unsubscribe:
      <br>
      <a class="moz-txt-link-freetext" href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>