Problems with SSL

Michael Menge michael.menge at zdv.uni-tuebingen.de
Wed Nov 30 04:03:41 EST 2016


Hi,


Quoting Infraestructura TIC - UNNOBA via Info-cyrus  
<info-cyrus at lists.andrew.cmu.edu>:

> Hello!
> I'm using cyrus on Debian vm for several years but now, SSL starts to fail:
>
>     Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
> hard-coded DH parameters
>     Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
> failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]
>
> I tried with self-signed certificates, and third-party ones, but the
> result is the same.
> I spent two days trying to figure out what happened, without results.
>
>     #openssl s_client -connect mail.server.test:993 -crlf -state
>     CONNECTED(00000003)
>     SSL_connect:before SSL initialization
>     SSL_connect:SSLv3/TLS write client hello
>     SSL3 alert read:fatal:handshake failure
>     SSL_connect:error in SSLv3/TLS write client hello
>     140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
> alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
>     40
>     ---
>     no peer certificate available
>     ---
>     No client certificate CA names sent
>     ---
>     SSL handshake has read 7 bytes and written 176 bytes
>     Verification: OK
>     ---
>     New, (NONE), Cipher is (NONE)

I believe the server and client have no SSL/TLS version and/or Cipher  
in common and
therefore can't establish an encrypted connection.

Some time ago i found an ssl server test suite  
https://github.com/drwetter/testssl.sh
witch tries to do what https://www.ssllabs.com/ does for web servers  
but for all protocols
and server not reachable form the internet.

You might want to check your server with ./testssl.sh mail.server.test:993


>     Secure Renegotiation IS NOT supported
>     Compression: NONE
>     Expansion: NONE
>     No ALPN negotiated
>     SSL-Session:
>         Protocol  : TLSv1.2
>         Cipher    : 0000
>         Session-ID:
>         Session-ID-ctx:
>         Master-Key:
>         PSK identity: None
>         PSK identity hint: None
>         SRP username: None
>         Start Time: 1480435442
>         Timeout   : 7200 (sec)
>         Verify return code: 0 (ok)
>         Extended master secret: no
>     ---
>
>
> I'm using this versions:
>
> cyrus-admin                           2.5.10-2
> cyrus-clients                         2.5.10-2
> cyrus-common                          2.5.10-2
> cyrus-doc                             2.5.10-2
> cyrus-imapd                           2.5.10-2
> cyrus-murder                          2.5.10-2
> cyrus-pop3d                           2.5.10-2
> cyrus-replication                     2.5.10-2
>
>
>
> Both, certificate and key, are accesibles by user cyrus. Certificate is
> up-to-date.
>
> This is the config:
>
> $sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
>     [...]
>     tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
>     tls_client_ca_dir: /etc/ssl/certs
>     tls_client_ca_file: /etc/ssl/certs/cyrus.pem
>     tls_server_cert: /etc/ssl/certs/cyrus.pem
>     tls_server_key: /etc/ssl/private/cyrus.key
>     tls_session_timeout: 0
>     [...]
>
>
> And before I declared myself "I'm completely lost", I was watching
> entropy ... but is ok.
>
> #cat /proc/sys/kernel/random/entropy_avail
> 2354
>
>
>
> ¿Any suggestions?
>
> Thanks in advance!
>
>
>
> Javier.-
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus



--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail:  
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen



More information about the Info-cyrus mailing list