Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

TLSv1.1, TLSv1.2

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


Lena at lena

Apr 27, 2012, 10:08 AM

Post #1 of 4 (735 views)
Permalink
TLSv1.1, TLSv1.2
After upgrade to openssl 1.0.1, my Perl script using Crypt::SSLeay
was unable to connect as a client to a web server (https),
I had to downgrade openssl to 1.0.0h on that machine (it runs Exim too).

Is the following (from Postfix 2.9.2 release notes) relevant to Exim?
If yes, should we specify
tls_require_ciphers main configuration option (Exim as server) or
tls_require_ciphers smtp transport option (Exim as client)?

-----

| This release adds support to turn off the TLSv1.1 and TLSv1.2
| protocols. Introduced with OpenSSL version 1.0.1, these are known
| to cause inter-operability problems with for example hotmail.
|
| The radical workaround is to temporarily turn off problematic
| protocols globally:
|
| /etc/postfix/main.cf:
| smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
| smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
|
| smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
| smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
|
| However, it may be better to temporarily turn off problematic
| protocols for broken sites only:
|
| /etc/postfix/main.cf:
| smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
|
| /etc/postfix/tls_policy:
| example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Apr 27, 2012, 5:45 PM

Post #2 of 4 (728 views)
Permalink
Re: TLSv1.1, TLSv1.2 [In reply to]
On 2012-04-27 at 20:08 +0300, Lena [at] lena wrote:
> After upgrade to openssl 1.0.1, my Perl script using Crypt::SSLeay
> was unable to connect as a client to a web server (https),
> I had to downgrade openssl to 1.0.0h on that machine (it runs Exim too).

Can you identify why this failed? TLS protocol negotiation should be
robust to this sort of thing, shouldn't it? Or did the SSLv3-compatible
hack for TLS1.0 not get carried forward, so that you can only negotiate
TLS1.1+ if you're not also requesting SSLv3?

> Is the following (from Postfix 2.9.2 release notes) relevant to Exim?
> If yes, should we specify
> tls_require_ciphers main configuration option (Exim as server) or
> tls_require_ciphers smtp transport option (Exim as client)?

Both, since they're independent. At present, we can only do this via
the "tls_require_ciphers" option for OpenSSL, which really only affects
the available ciphers and I'm not clear on how something like !SSLv2
(disable the SSLv2 ciphersuite) in the ciphers spec affects
advertisement of support for SSLv2 by OpenSSL at the protocol
negotiation level.

For GnuTLS, see the "gnutls_require_protocols" option. That's direct
protocol selection. Note that GnuTLS has supported TLS1.1 & 1.2 for
some time, and Exim has supported using those since 4.77.

Are you able to test an Exim build on a different port, using GnuTLS, to
see if TLS1.1 in GnuTLS works with your script?

In OpenSSL, the global "openssl_options" option can do the same thing,
but when I was last updating the list of options, OpenSSL didn't yet
have TLS1.1 support, so those options couldn't be added. This also
requires that Exim be built _after_ installing the headers for the new
version of OpenSSL. See "tls-openssl.c", and the bits of code like this:

----------------------------8< cut here >8------------------------------
#ifdef SSL_OP_NO_SSLv2
{ US"no_sslv2", SSL_OP_NO_SSLv2 },
#endif
#ifdef SSL_OP_NO_SSLv3
{ US"no_sslv3", SSL_OP_NO_SSLv3 },
#endif
/*...*/
#ifdef SSL_OP_NO_TLSv1
{ US"no_tlsv1", SSL_OP_NO_TLSv1 },
#endif
----------------------------8< cut here >8------------------------------

I'll go check for updates in OpenSSL 1.0.1 and add some more options, as
a first pass of needed changes.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Lena at lena

Apr 27, 2012, 11:37 PM

Post #3 of 4 (765 views)
Permalink
Re: TLSv1.1, TLSv1.2 [In reply to]
> From: Phil Pennock

> > After upgrade to openssl 1.0.1, my Perl script
> > was unable to connect as a client to a web server (https),
> > I had to downgrade openssl to 1.0.0h on that machine (it runs Exim too).
>
> Can you identify why this failed?

I don't know how. I can test-run the script on my home machine
(also with FreeBSD and openssl from ports) with openssl 1.0.1a,
the diagnostics:

-----

URL of GET request:
https://ssl.aukro.ua/enter_login.php?session=YTlmNVoACQYECQJQDgcEAABfUFYPVlUFVw9XBFtUBABVWgcFClBWVVRYXgIJB1MAVwEEVwlVOWUwYw%3D%3D&global_login_hash=1ea66362eccc3057361e97716c31776f60fbf61a&session_login_hash=0b6adff48a1777772f767d6b34050b647a675917&url=MzhkNQ4VFUYJF0tUEwoTWR1NBRoLGABVUFcRWxJOB1NWXAZUBQoSGUFZEFwIBk9GW0hmYWE2&cod=OGZkZlVlNmJk&version=A

Response:
500 Can't connect to ssl.aukro.ua:443
Content-Type: text/plain
Client-Date: Sat, 28 Apr 2012 05:04:04 GMT
Client-Warning: Internal response

Can't connect to ssl.aukro.ua:443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:00000000:lib(0):func(0):reason(0) at /usr/local/lib/perl5/site_perl/5.14.2/LWP/Protocol/http.pm line 51.

-----

No problem doing the same (log in to that website) with freshly-compiled
Firefox 12 on the same home machine with openssl 1.0.1a. No firewall.

The script is unrelated to Exim except that it's designed to run (hourly)
on the same server as Exim and shares openssl version with Exim.
So, for now Exim on my server uses openssl 1.0.0h
and cannot encounter the problem with hotmail mentioned by Postfix people:

> > Is the following (from Postfix 2.9.2 release notes) relevant to Exim?
> >
> > | This release adds support to turn off the TLSv1.1 and TLSv1.2
> > | protocols. Introduced with OpenSSL version 1.0.1, these are known
> > | to cause inter-operability problems with for example hotmail.

> > | example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2

I don't know yet how to tell Perl modules LWP::Simple, LWP::UserAgent
(libwww-perl) to not use TLS1.1+.

> TLS protocol negotiation should be
> robust to this sort of thing, shouldn't it?

It should, but something went wrong.

> Or did the SSLv3-compatible
> hack for TLS1.0 not get carried forward, so that you can only negotiate
> TLS1.1+ if you're not also requesting SSLv3?

I don't understand.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Apr 28, 2012, 6:34 AM

Post #4 of 4 (724 views)
Permalink
Re: TLSv1.1, TLSv1.2 [In reply to]
On 2012-04-28 at 09:37 +0300, Lena [at] lena wrote:
> I don't know how. I can test-run the script on my home machine
> (also with FreeBSD and openssl from ports) with openssl 1.0.1a,
> the diagnostics:

During coding up the TLS1.1/1.2 stuff for Exim's OpenSSL integration, I
noted a peculiar value for an SSL_OP flag for disabling 1.1. Checking
further, this has already been fixed in 1.0.1b. The constant value
changes between the two releases, in an incompatible way.

Exim 4.78 will #warn at compile time if the installed version of OpenSSL
is 1.0.1a. Definitely avoid that version.

> > TLS protocol negotiation should be
> > robust to this sort of thing, shouldn't it?
>
> It should, but something went wrong.

Similarly, when testing with s_client against Exim, I get protocol
failures during renegotiation because s_client continues with TLS1.2 but
Exim's handshake reply is TLS1.0. I can find no reason for this in the
Exim source code and have spent some unproductive time trying to trace
through the OpenSSL library code to see what might be causing this.

At this point, I suspect OpenSSL 1.0.1 should be regarded as Distinctly
Alpha.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.