Re: [exim] TLS problems of late

Warren Baker Mon, 25 Feb 2013 00:48:08 -0800

On Sat, Feb 23, 2013 at 1:32 AM, Phil Pennock <[email protected]> wrote:
> OpenSSL started supporting the newer renegotiation system in newer
> branches.
>
> Also, this is the CBC mode in pre-TLS1.1 so OpenSSL is probably using
> the empty fragments mitigation for the IV weaknesses.  As of release
> 4.80, Exim stopped setting +dont_insert_empty_fragments because that
> lowers security: the BEAST attacks came out and we couldn't justify
> lowering everyone's security by default for the sake of some bad
> clients.



Ahh thanks for the info Phil.


>
> It might be that we need an `openssl_options` SMTP transport setting to
> match the global option, so that we can retry with lower security, or
> decide to turn on more compatibility unless TLS verification is being
> requested, since most MX-MX transfer is subject to MitM anyway.
>
> See the "COMPATIBILITY WARNING" in 4.80 in README.UPDATING.
>
> See also SSL_CTX_set_options(3).
>
> Try:
>
>   openssl_options = +dont_insert_empty_fragments
>
> If that fixes it, then we know that this option is not *just* needed for
> old Eudora, but also some mail servers.
>
> Next, a value of +all might help, which turns on all bug compatibility
> fixes (with the combined security costs of all of them together).

> The +tls_rollback_bug setting looks like it *might* apply here.
>
> If +legacy_server_connect fixes it, then we're doing something wrong
> with options setting, since OpenSSL should have that on by default and
> we'd be clearing it inadvertently.



Hrmm using +all (or any of the other options) did not make any
difference for all the problematics remote mail servers - here are 2
separate tests from 2 different hosts.
In the debug mode I can see the option is enabled but the behaviour is
exactly the same.

Server 1:

10:34:24 79951   SMTP>> STARTTLS
10:34:24 79951 waiting for data on socket
10:34:24 79951 read response data: size=18
10:34:24 79951   SMTP<< 220 TLS go ahead
10:34:24 79951 openssl option, adding from 1000000: 80000bff (all)
10:34:24 79951 setting SSL CTX options: 0x81000bff
10:34:24 79951 Diffie-Hellman initialized from default with 2048-bit prime
10:34:24 79951 Initialized TLS
10:34:24 79951 Calling SSL_connect
10:34:24 79951 SSL info: before/connect initialization
10:34:24 79951 SSL info: before/connect initialization
10:34:24 79951 SSL info: SSLv2/v3 write client hello A
10:34:24 79951 SSL info: SSLv3 read server hello A
10:34:24 79951 SSL info: SSLv3 read server certificate A
10:34:24 79951 SSL info: SSLv3 read server key exchange A
10:34:24 79951 SSL info: SSLv3 read server done A
10:34:24 79951 SSL info: SSLv3 write client key exchange A
10:34:24 79951 SSL info: SSLv3 write change cipher spec A
10:34:24 79951 SSL info: SSLv3 write finished A
10:34:24 79951 SSL info: SSLv3 flush data
10:34:25 79951 SSL info: SSLv3 read finished A
10:34:25 79951 SSL info: SSL negotiation finished successfully
10:34:25 79951 SSL info: SSL negotiation finished successfully
10:34:25 79951 SSL_connect succeeded
10:34:25 79951 Cipher: TLSv1.2:DHE-RSA-AES256-SHA256:256
10:34:25 79951   SMTP>> EHLO mx2.nd.co.za
10:34:25 79951 tls_do_write(0x7fffffffce80, 19)
10:34:25 79951 SSL_write(SSL, 0x7fffffffce80, 19)
10:34:25 79951 outbytes=19 error=0
10:34:25 79951 waiting for data on socket
10:34:25 79951 Calling SSL_read(0x801e0d400, 0x7fffffffae80, 4096)
10:34:25 79951 read response data: size=149
10:34:25 79951   SMTP<< 250-mx11.supremebox.com Hello mx2.nd.co.za
[196.2.147.90]
10:34:25 79951          250-SIZE 20971520
10:34:25 79951          250-8BITMIME
10:34:25 79951          250-PIPELINING
10:34:25 79951          250-AUTH CRAM-MD5 PLAIN LOGIN
10:34:25 79951          250 HELP
10:34:25 79951 198.23.53.42 in hosts_avoid_pipelining? no (option unset)
10:34:25 79951 using PIPELINING
10:34:25 79951 198.23.53.42 in hosts_require_auth? no (option unset)
10:34:25 79951 198.23.53.42 in hosts_try_auth? no (option unset)
10:34:25 79951   SMTP>> MAIL FROM:<> SIZE=1346
10:34:25 79951   SMTP>> RCPT TO:<[email protected]>
10:34:25 79951   SMTP>> DATA
10:34:25 79951 tls_do_write(0x7fffffffce80, 66)
10:34:25 79951 SSL_write(SSL, 0x7fffffffce80, 66)
10:34:25 79951 outbytes=66 error=0
10:34:25 79951 waiting for data on socket
10:34:25 79951 Calling SSL_read(0x801e0d400, 0x7fffffffae80, 4096)
10:34:25 79951 SSL info: SSL negotiation finished successfully
10:34:25 79951 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1
first_address is not NULL
10:34:25 79951 tls_close(): shutting down SSL
10:34:25 79951 SSL info: SSL negotiation finished successfully
10:34:25 79951 LOG: MAIN
10:34:25 79951   Remote host mx1.supremebox.com [198.23.53.42] closed
connection in response to MAIL FROM:<> SIZE=1346



Server 2:

10:37:06 11802   SMTP>> EHLO mx1.percol8.co.za
10:37:06 11802 waiting for data on socket
10:37:06 11802 read response data: size=334
10:37:06 11802   SMTP<< 250-at-5000.VFPRINT.NET Hello [41.79.180.20]
10:37:06 11802          250-TURN
10:37:06 11802          250-SIZE
10:37:06 11802          250-ETRN
10:37:06 11802          250-PIPELINING
10:37:06 11802          250-DSN
10:37:06 11802          250-ENHANCEDSTATUSCODES
10:37:06 11802          250-8bitmime
10:37:06 11802          250-BINARYMIME
10:37:06 11802          250-CHUNKING
10:37:06 11802          250-VRFY
10:37:06 11802          250-TLS
10:37:06 11802          250-STARTTLS
10:37:06 11802          250-X-EXPS GSSAPI NTLM LOGIN
10:37:06 11802          250-X-EXPS=LOGIN
10:37:06 11802          250-AUTH GSSAPI NTLM LOGIN
10:37:06 11802          250-AUTH=LOGIN
10:37:06 11802          250-X-LINK2STATE
10:37:06 11802          250-XEXCH50
10:37:06 11802          250 OK
10:37:06 11802 216.16.235.136 in hosts_avoid_tls? no (option unset)
10:37:06 11802   SMTP>> STARTTLS
10:37:06 11802 waiting for data on socket
10:37:06 11802 read response data: size=29
10:37:06 11802   SMTP<< 220 2.0.0 SMTP server ready
10:37:06 11802 openssl option, adding from 1000000: 80000bff (all)
10:37:06 11802 setting SSL CTX options: 0x81000bff
10:37:06 11802 Diffie-Hellman initialized from default with 2048-bit prime
10:37:06 11802 Initialized TLS
10:37:06 11802 Calling SSL_connect
10:37:06 11802 SSL info: before/connect initialization
10:37:06 11802 SSL info: before/connect initialization
10:37:06 11802 SSL info: SSLv2/v3 write client hello A
10:37:07 11802 SSL info: SSLv3 read server hello A
10:37:07 11802 SSL info: SSLv3 read server certificate A
10:37:07 11802 SSL info: SSLv3 read server done A
10:37:07 11802 SSL info: SSLv3 write client key exchange A
10:37:07 11802 SSL info: SSLv3 write change cipher spec A
10:37:07 11802 SSL info: SSLv3 write finished A
10:37:07 11802 SSL info: SSLv3 flush data
10:37:07 11802 SSL info: SSLv3 read finished A
10:37:07 11802 SSL info: SSL negotiation finished successfully
10:37:07 11802 SSL info: SSL negotiation finished successfully
10:37:07 11802 SSL_connect succeeded
10:37:07 11802 Cipher: TLSv1:DES-CBC3-SHA:168
10:37:07 11802   SMTP>> EHLO mx1.percol8.co.za
10:37:07 11802 tls_do_write(0x7fffffffca80, 24)
10:37:07 11802 SSL_write(SSL, 0x7fffffffca80, 24)
10:37:07 11802 outbytes=24 error=0
10:37:07 11802 waiting for data on socket
10:37:07 11802 Calling SSL_read(0x801c0e800, 0x7fffffffaa80, 4096)
10:37:07 11802 read response data: size=311
10:37:07 11802   SMTP<< 250-at-5000.VFPRINT.NET Hello [41.79.180.20]
10:37:07 11802          250-TURN
10:37:07 11802          250-SIZE
10:37:07 11802          250-ETRN
10:37:07 11802          250-PIPELINING
10:37:07 11802          250-DSN
10:37:07 11802          250-ENHANCEDSTATUSCODES
10:37:07 11802          250-8bitmime
10:37:07 11802          250-BINARYMIME
10:37:07 11802          250-CHUNKING
10:37:07 11802          250-VRFY
10:37:07 11802          250-X-EXPS GSSAPI NTLM LOGIN
10:37:07 11802          250-X-EXPS=LOGIN
10:37:07 11802          250-AUTH GSSAPI NTLM LOGIN
10:37:07 11802          250-AUTH=LOGIN
10:37:07 11802          250-X-LINK2STATE
10:37:07 11802          250-XEXCH50
10:37:07 11802          250 OK
10:37:07 11802 216.16.235.136 in hosts_avoid_pipelining? no (option unset)
10:37:07 11802 using PIPELINING
10:37:07 11802 216.16.235.136 in hosts_require_auth? no (option unset)
10:37:07 11802 216.16.235.136 in hosts_try_auth? no (option unset)
10:37:07 11802   SMTP>> MAIL FROM:<> SIZE=5433
10:37:07 11802   SMTP>> RCPT TO:<[email protected]>
10:37:07 11802   SMTP>> DATA
10:37:07 11802 tls_do_write(0x7fffffffca80, 65)
10:37:07 11802 SSL_write(SSL, 0x7fffffffca80, 65)
10:37:07 11802 outbytes=65 error=0
10:37:07 11802 waiting for data on socket
10:37:07 11802 Calling SSL_read(0x801c0e800, 0x7fffffffaa80, 4096)
10:37:08 11802 SSL info: SSL negotiation finished successfully
10:37:08 11802 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1
first_address is not NULL
10:37:08 11802 tls_close(): shutting down SSL
10:37:08 11802 SSL info: SSL negotiation finished successfully
10:37:08 11802 LOG: MAIN
10:37:08 11802   Remote host maila.printspots.com [216.16.235.136]
closed connection in response to MAIL FROM:<> SIZE=5433
10:37:08 11802 set_process_info: 11802 delivering 1U8sTB-0002Kv-NH:
just tried maila.printspots.com [216.16.235.136] for
[email protected]: result DEFER


Any other ideas?


Thanks,
Warren

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS problems of late

Reply via email to