Problems with SSL [SOLVED]

Infraestructura TIC - UNNOBA tecnologia at unnoba.edu.ar
Wed Nov 30 08:49:04 EST 2016 

Thanks, Michael.


El 30/11/16 a las 06:03, Michael Menge via Info-cyrus escribió:
> Hi,
>
>
> Quoting Infraestructura TIC - UNNOBA via Info-cyrus
> <info-cyrus at lists.andrew.cmu.edu>:
>
>> Hello!
>> I'm using cyrus on Debian vm for several years but now, SSL starts to
>> fail:
>>
>>     Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
>> hard-coded DH parameters
>>     Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
>> failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]
>>
>> I tried with self-signed certificates, and third-party ones, but the
>> result is the same.
>> I spent two days trying to figure out what happened, without results.
>>
>>     #openssl s_client -connect mail.server.test:993 -crlf -state
>>     CONNECTED(00000003)
>>     SSL_connect:before SSL initialization
>>     SSL_connect:SSLv3/TLS write client hello
>>     SSL3 alert read:fatal:handshake failure
>>     SSL_connect:error in SSLv3/TLS write client hello
>>     140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
>> alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
>>     40
>>     ---
>>     no peer certificate available
>>     ---
>>     No client certificate CA names sent
>>     ---
>>     SSL handshake has read 7 bytes and written 176 bytes
>>     Verification: OK
>>     ---
>>     New, (NONE), Cipher is (NONE)
>
> I believe the server and client have no SSL/TLS version and/or Cipher
> in common and
> therefore can't establish an encrypted connection.
>
> Some time ago i found an ssl server test suite
> https://github.com/drwetter/testssl.sh
> witch tries to do what https://www.ssllabs.com/ does for web servers
> but for all protocols
> and server not reachable form the internet.
>
> You might want to check your server with ./testssl.sh
> mail.server.test:993
>

I tried with testssl.sh and sslscan and both tools informed that TLS was
not working on Cyrus.

"  TLS renegotiation:
   Secure session renegotiation supported"

and

"
 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               not offered
 TLS 1.1             not offered
 *TLS 1.2             not offered*
 SPDY/NPN            (SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN          (HTTP/2 is a HTTP protocol and thus not tested here)

"


I solved it by specifying ciphers in this way (in /etc/imapd.conf):

tls_ciphers:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

instead of

tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH


And now, TLS 1.2 is working.

Thanks!








>
>>     Secure Renegotiation IS NOT supported
>>     Compression: NONE
>>     Expansion: NONE
>>     No ALPN negotiated
>>     SSL-Session:
>>         Protocol  : TLSv1.2
>>         Cipher    : 0000
>>         Session-ID:
>>         Session-ID-ctx:
>>         Master-Key:
>>         PSK identity: None
>>         PSK identity hint: None
>>         SRP username: None
>>         Start Time: 1480435442
>>         Timeout   : 7200 (sec)
>>         Verify return code: 0 (ok)
>>         Extended master secret: no
>>     ---
>>
>>
>> I'm using this versions:
>>
>> cyrus-admin                           2.5.10-2
>> cyrus-clients                         2.5.10-2
>> cyrus-common                          2.5.10-2
>> cyrus-doc                             2.5.10-2
>> cyrus-imapd                           2.5.10-2
>> cyrus-murder                          2.5.10-2
>> cyrus-pop3d                           2.5.10-2
>> cyrus-replication                     2.5.10-2
>>
>>
>>
>> Both, certificate and key, are accesibles by user cyrus. Certificate is
>> up-to-date.
>>
>> This is the config:
>>
>> $sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
>>     [...]
>>     tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
>>     tls_client_ca_dir: /etc/ssl/certs
>>     tls_client_ca_file: /etc/ssl/certs/cyrus.pem
>>     tls_server_cert: /etc/ssl/certs/cyrus.pem
>>     tls_server_key: /etc/ssl/private/cyrus.key
>>     tls_session_timeout: 0
>>     [...]
>>
>>
>> And before I declared myself "I'm completely lost", I was watching
>> entropy ... but is ok.
>>
>> #cat /proc/sys/kernel/random/entropy_avail
>> 2354
>>
>>
>>
>> ¿Any suggestions?
>>
>> Thanks in advance!
>>
>>
>>
>> Javier.-
>>
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
>
>
> --------------------------------------------------------------------------------
>
> M.Menge                                Tel.: (49) 7071/29-70316
> Universität Tübingen                   Fax.: (49) 7071/29-5912
> Zentrum für Datenverarbeitung          mail:
> michael.menge at zdv.uni-tuebingen.de
> Wächterstraße 76
> 72074 Tübingen
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20161130/bd81310f/attachment.html>

More information about the Info-cyrus mailing list