Problems with port 993 (SSL)

Wed Sep 2 14:20:31 EDT 2015

Hello Stefan,

Op 02-09-15 om 17:04 schreef Stefan Suurmeijer:
> On 2-9-2015 12:56, Paul van der Vlis wrote:
>> Op 02-09-15 om 01:36 schreef Stefan Suurmeijer:
>> From the OSX v10.11 release notes (released 15-8):
>>
>>   * DHE_RSA cipher suites are now disabled by default in Secure
>>     Transport for TLS clients. This may cause a failure to connect to
>>     TLS servers that only support DHE_RSA cipher suites. Applications
>>     that explicitly enable cipher suites using SSLSetEnabledCiphers()
>>     are not affected. Safari may display a “Safari can’t establish a
>>     secure connection to the server” error page. Safari and other
>>     clients of CFNetwork API (NSURLSession, NSURLConnection,
>>     CFHTTPStream, CFSocketStream and Cocoa equivalent) will show a
>>     “CFNetwork SSLHandshake failed” error in Console.
>>
>>
>> Maybe you can use checktls.com to find out which cipher your site uses.
>> A very useful site.
>> Interesting site, but I need more time to understand the tests.
>>
>> When I use openssl, I get a long timeout after "CONNECTED", and then
>> something what looklikes there is no certificate available at all:
>> -----------------
>> paul at server2:~$ openssl s_client -connect mail.vandervlis.nl:993
>> CONNECTED(00000003)
>> write:errno=104
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 0 bytes and written 295 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>> paul at server2:~$
>> -----------------
>>
>> Port 465 (postfix SSL/TLS) has the same problem.
>>
>> When I use openssl to port 443 what uses the same certificate,
>> everything is fine. But TLSv1 with DHE-RSA-AES256-SHA cipher is used.
>> I am using a SHA256 certificate with a 2048 bit public key.
> 
> If that cipher is used on port 993 as well, then probably connecting
> from an Apple OSX machine won't work (I assume that is what you're
> testing?)

No, I test with:
openssl s_client -connect mail.vandervlis.nl:443

> , since Apple no longer allows DHE-RSA, as stated above. But
> connecting from an Apple machine to port 443 using the same cipher//does
> work? 

I don't have a Mac, I will ask somebody.

But I think I would have heard it.

> Maybe because you're using the SSLCipherSuite option in your
> Apache config? From the release notes, that might not be affected
> ("Applications that explicitly enable cipher suites using
> SSLSetEnabledCiphers() are not affected")

Yes, I use SSLCipherSuite:
SSLCipherSuite HIGH:MEDIUM:!ADH

>> Realize that this has worked for a long time, and so far I know I did
>> not change anything.
>>
>> On my new mailserver port 993 (Cyrus 2.4.17) works fine with the same
>> certificate. (Only tested with openssl.)
> 
> What cipher does that one use? 

ECDHE-RSA-AES256-SHA

> The certificate isn't the problem I
> think, the cipher you use probably is.

But why isn't it a problem on port 143 with STARTTLS on the old machine?

>>> If your site uses a DHE-RSA cipher, you may need to change the
>>> tls_cipher_list in your imapd.conf
>> I only accept TLSv1 high-security ciphers:
>> tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
> 
> Hm, I don't know if that would allow DHE-RSA, maybe someone from Horde
> knows that

This is about Cyrus and imapd.conf, not about Horde.

I think the tls_cipher_list allows DHE-RSA, but the question is more if
there are alternatives offered. I think the machine should offer:
TLS_RSA_WITH_AES_256_CBC_SHA.

But it lookslike there is something else wrong on port 993, it says: "no
peer certificate available". I don't understand that.

I will not spend much time on this issue on the old machine, because
port 143 works fine. And save my energy for the migration to the new
machine...

With regards,
Paul van der Vlis.

-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/