Thanks for this, Eric.
I created an ‘iCloud.com’ address for myself, and did some tests.
First, I tried sending to it with my existing tlsserverciphers file, which
contained:
ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA
and the log file showed:
delivery 25433: deferral:
TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:
sslv3_alert_handshake_failure;_connected_to_17.172.34.65./
Next, I tested rebuilding the tlsserverciphers file using the qmail.spec code
that you provided. This generated a new file that was, as far as I could see,
identical to the existing one. Again, my test message failed.
I then copy-pasted your enormous cipher list into the tlsserverciphers file and
tried again (I stopped and started qmail between each attempt). Again, I got a
failure.
However, I noticed that in addition to ‘tlsserverciphers’ I also had a
‘tlsserverciphers.dist’ file, which contained:
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5
I copied this to ‘tlsserverciphers’, did the stop/start dance again, and tried
one last time.
This went through without generating an error in the log file.
When I checked my iCloud.com mailbox, I found that three of my test messages
(tests 2, 3 and 4), which puzzled me, because 2 and 3 definitely generated
errors when I first tried to send them. I think the explanation must be that
qmail retried these messages quite soon after the initial failure, by which
time I had installed the ‘correct’ cipher file.
So it looks as if ‘tlsserverciphers.dist’ contains the necessary mix of
ciphers. I’m not sure why your monster list failed, but looking at it I notice
that there was a line break in the middle of 'DHE-RSA-AES128-SHA’, which may
have screwed things up.
I have a vague memory that there was a reason why my ciphers file looked the
way it did, and that it was based on past advice on this list. So this may yet
come back to bite me.
"Do not meddle in the affairs of ciphers, for they are subtle and quick to
anger."
Angus
On Jul 12, 2014, at 12:52 PM, Eric Shubert <e...@shubes.net> wrote:
> On 07/11/2014 11:18 AM, Angus McIntyre wrote:
>> Attempts to send messages to a user at 'me.com' (whose mail exchanger is
>> at Apple's 'icloud.com') have been failing consistently with the error:
>>
>> TLS connect failed: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
>> handshake failure; connected to 17.158.8.113.
>>
>> Does anyone know whether this indicates a possible issue with my toaster
>> setup, or is the fault at the other end?
>>
>> Angus
>>
>> ---------------------------------------------------------------------
>
> Could be either end. Have you modified your tlsserverciphers phile ;)
> according to what was discussed here a few months back? We changed the
> ciphers to use stronger keys, IIRC.
>
> I'm guessing that me.com is either not capable of using the stronger ciphers
> you're using (if you're doing so), or perhaps me.com is requiring only
> stronger ciphers that you're not set up to use.
>
> My file is as follows:
> DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128
> -SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA
>
> Here's the current qmail.spec code for generating this file:
> touch %{qcon}/tlsserverciphers
> rm -fr %{qcon}/tlsclientciphers 2>&1 > /dev/null
> echo " Making tlsserverciphers."
> ./%{_bindir}/openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' \
> > %{qcon}/tlsserverciphers
> chown root:qmail %{qcon}/tlsserverciphers
> chmod 644 %{qcon}/tlsserverciphers
>
> This code, along with other %post install processing, will be made into
> scripts outside of the spec file at some point very soon.
>
> Please let us know how you make out.
>
> --
> -Eric 'shubes'
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
