Problems with SSL
Michael Menge
michael.menge at zdv.uni-tuebingen.de
Wed Nov 30 04:03:41 EST 2016
Hi,
Quoting Infraestructura TIC - UNNOBA via Info-cyrus
<info-cyrus at lists.andrew.cmu.edu>:
> Hello!
> I'm using cyrus on Debian vm for several years but now, SSL starts to fail:
>
> Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
> hard-coded DH parameters
> Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
> failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]
>
> I tried with self-signed certificates, and third-party ones, but the
> result is the same.
> I spent two days trying to figure out what happened, without results.
>
> #openssl s_client -connect mail.server.test:993 -crlf -state
> CONNECTED(00000003)
> SSL_connect:before SSL initialization
> SSL_connect:SSLv3/TLS write client hello
> SSL3 alert read:fatal:handshake failure
> SSL_connect:error in SSLv3/TLS write client hello
> 140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
> alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
> 40
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 176 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
I believe the server and client have no SSL/TLS version and/or Cipher
in common and
therefore can't establish an encrypted connection.
Some time ago i found an ssl server test suite
https://github.com/drwetter/testssl.sh
witch tries to do what https://www.ssllabs.com/ does for web servers
but for all protocols
and server not reachable form the internet.
You might want to check your server with ./testssl.sh mail.server.test:993
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1480435442
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> ---
>
>
> I'm using this versions:
>
> cyrus-admin 2.5.10-2
> cyrus-clients 2.5.10-2
> cyrus-common 2.5.10-2
> cyrus-doc 2.5.10-2
> cyrus-imapd 2.5.10-2
> cyrus-murder 2.5.10-2
> cyrus-pop3d 2.5.10-2
> cyrus-replication 2.5.10-2
>
>
>
> Both, certificate and key, are accesibles by user cyrus. Certificate is
> up-to-date.
>
> This is the config:
>
> $sudo -u cyrus /usr/lib/cyrus/bin/cyr_info conf
> [...]
> tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
> tls_client_ca_dir: /etc/ssl/certs
> tls_client_ca_file: /etc/ssl/certs/cyrus.pem
> tls_server_cert: /etc/ssl/certs/cyrus.pem
> tls_server_key: /etc/ssl/private/cyrus.key
> tls_session_timeout: 0
> [...]
>
>
> And before I declared myself "I'm completely lost", I was watching
> entropy ... but is ok.
>
> #cat /proc/sys/kernel/random/entropy_avail
> 2354
>
>
>
> ¿Any suggestions?
>
> Thanks in advance!
>
>
>
> Javier.-
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--------------------------------------------------------------------------------
M.Menge Tel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
More information about the Info-cyrus
mailing list