<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks, Michael.<br>
<br>
<br>
El 30/11/16 a las 06:03, Michael Menge via Info-cyrus escribió:<br>
</div>
<blockquote
cite="mid:20161130100341.Horde.z9-G1D2VPB8LgBZutnsY9BE@webmail.uni-tuebingen.de"
type="cite">Hi,
<br>
<br>
<br>
Quoting Infraestructura TIC - UNNOBA via Info-cyrus
<a class="moz-txt-link-rfc2396E" href="mailto:info-cyrus@lists.andrew.cmu.edu"><info-cyrus@lists.andrew.cmu.edu></a>:
<br>
<br>
<blockquote type="cite">Hello!
<br>
I'm using cyrus on Debian vm for several years but now, SSL
starts to fail:
<br>
<br>
Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
<br>
hard-coded DH parameters
<br>
Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS
negotiation
<br>
failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]
<br>
<br>
I tried with self-signed certificates, and third-party ones, but
the
<br>
result is the same.
<br>
I spent two days trying to figure out what happened, without
results.
<br>
<br>
#openssl s_client -connect mail.server.test:993 -crlf -state
<br>
CONNECTED(00000003)
<br>
SSL_connect:before SSL initialization
<br>
SSL_connect:SSLv3/TLS write client hello
<br>
SSL3 alert read:fatal:handshake failure
<br>
SSL_connect:error in SSLv3/TLS write client hello
<br>
140019483313280:error:14094410:SSL
routines:ssl3_read_bytes:sslv3
<br>
alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert
number
<br>
40
<br>
---
<br>
no peer certificate available
<br>
---
<br>
No client certificate CA names sent
<br>
---
<br>
SSL handshake has read 7 bytes and written 176 bytes
<br>
Verification: OK
<br>
---
<br>
New, (NONE), Cipher is (NONE)
<br>
</blockquote>
<br>
I believe the server and client have no SSL/TLS version and/or
Cipher in common and
<br>
therefore can't establish an encrypted connection.
<br>
<br>
Some time ago i found an ssl server test suite
<a class="moz-txt-link-freetext" href="https://github.com/drwetter/testssl.sh">https://github.com/drwetter/testssl.sh</a>
<br>
witch tries to do what <a class="moz-txt-link-freetext" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a> does for web
servers but for all protocols
<br>
and server not reachable form the internet.
<br>
<br>
You might want to check your server with ./testssl.sh
mail.server.test:993
<br>
<br>
</blockquote>
<br>
I tried with testssl.sh and sslscan and both tools informed that TLS
was not working on Cyrus. <br>
<br>
" TLS renegotiation:<br>
Secure session renegotiation supported"<br>
<br>
and<br>
<br>
"<br>
Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) <br>
<br>
SSLv2 not offered (OK)<br>
SSLv3 not offered (OK)<br>
TLS 1 not offered<br>
TLS 1.1 not offered<br>
<b>TLS 1.2 not offered</b><br>
SPDY/NPN (SPDY is an HTTP protocol and thus not tested
here)<br>
HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested
here)<br>
<br>
"<br>
<br>
<br>
I solved it by specifying ciphers in this way (in /etc/imapd.conf):<br>
<br>
tls_ciphers:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA<br>
<br>
instead of<br>
<br>
tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH<br>
<br>
<br>
And now, TLS 1.2 is working. <br>
<br>
Thanks!<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<blockquote
cite="mid:20161130100341.Horde.z9-G1D2VPB8LgBZutnsY9BE@webmail.uni-tuebingen.de"
type="cite">
<br>
<blockquote type="cite"> Secure Renegotiation IS NOT supported
<br>
Compression: NONE
<br>
Expansion: NONE
<br>
No ALPN negotiated
<br>
SSL-Session:
<br>
Protocol : TLSv1.2
<br>
Cipher : 0000
<br>
Session-ID:
<br>
Session-ID-ctx:
<br>
Master-Key:
<br>
PSK identity: None
<br>
PSK identity hint: None
<br>
SRP username: None
<br>
Start Time: 1480435442
<br>
Timeout : 7200 (sec)
<br>
Verify return code: 0 (ok)
<br>
Extended master secret: no
<br>
---
<br>
<br>
<br>
I'm using this versions:
<br>
<br>
cyrus-admin 2.5.10-2
<br>
cyrus-clients 2.5.10-2
<br>
cyrus-common 2.5.10-2
<br>
cyrus-doc 2.5.10-2
<br>
cyrus-imapd 2.5.10-2
<br>
cyrus-murder 2.5.10-2
<br>
cyrus-pop3d 2.5.10-2
<br>
cyrus-replication 2.5.10-2
<br>
<br>
<br>
<br>
Both, certificate and key, are accesibles by user cyrus.
Certificate is
<br>
up-to-date.
<br>
<br>
This is the config:
<br>
<br>
$sudo -u cyrus /usr/lib/cyrus/bin/cyr_info conf
<br>
[...]
<br>
tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
<br>
tls_client_ca_dir: /etc/ssl/certs
<br>
tls_client_ca_file: /etc/ssl/certs/cyrus.pem
<br>
tls_server_cert: /etc/ssl/certs/cyrus.pem
<br>
tls_server_key: /etc/ssl/private/cyrus.key
<br>
tls_session_timeout: 0
<br>
[...]
<br>
<br>
<br>
And before I declared myself "I'm completely lost", I was
watching
<br>
entropy ... but is ok.
<br>
<br>
#cat /proc/sys/kernel/random/entropy_avail
<br>
2354
<br>
<br>
<br>
<br>
¿Any suggestions?
<br>
<br>
Thanks in advance!
<br>
<br>
<br>
<br>
Javier.-
<br>
<br>
<br>
----
<br>
Cyrus Home Page: <a class="moz-txt-link-freetext" href="http://www.cyrusimap.org/">http://www.cyrusimap.org/</a>
<br>
List Archives/Info:
<a class="moz-txt-link-freetext" href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a>
<br>
To Unsubscribe:
<br>
<a class="moz-txt-link-freetext" href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a>
<br>
</blockquote>
<br>
<br>
<br>
--------------------------------------------------------------------------------
<br>
M.Menge Tel.: (49) 7071/29-70316
<br>
Universität Tübingen Fax.: (49) 7071/29-5912
<br>
Zentrum für Datenverarbeitung mail:
<a class="moz-txt-link-abbreviated" href="mailto:michael.menge@zdv.uni-tuebingen.de">michael.menge@zdv.uni-tuebingen.de</a>
<br>
Wächterstraße 76
<br>
72074 Tübingen
<br>
<br>
----
<br>
Cyrus Home Page: <a class="moz-txt-link-freetext" href="http://www.cyrusimap.org/">http://www.cyrusimap.org/</a>
<br>
List Archives/Info:
<a class="moz-txt-link-freetext" href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a>
<br>
To Unsubscribe:
<br>
<a class="moz-txt-link-freetext" href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br>
</blockquote>
<p><br>
</p>
</body>
</html>