On 2014-10-29 at 05:27 +0100, elrippo wrote: > On Montag, 20. Oktober 2014, 19:39:20 Phil Pennock wrote: > > So, how have you ruled out that this is a client limitation, with a > > client which doesn't support TLS? > > > > Which clients are you trying to use?
> The Only chiphers that works, is "tls_require_ciphers expands to > SECURE256:!VERS-SSL3.0" > But now i am getting trouble with a client software saying, that it could not > negotiate a proper chipher suite..... > > "TLS error on connection from android.mywireless [192.168.xxx.xxx] > (gnutls_handshake): Could not negotiate a supported cipher suite" Okay, that gets us a little closer to answering the question which was asked, which was "which clients are you trying to use". I think that you're using Android 2.2 or older, so you don't have TLS support. Thus you can't disable SSLv3 in the servers you care about. For HTTPS, this is a severe problem, for SMTP it's not (yet). The announcement message which Tony sent said: } Nonetheless, this attack is driving a major shift to eliminate the use of } SSLv3 in all protocols, so we can expect future releases of security } libraries to drop support. You should probably try to identify problems } before you have no back-out strategy, by working to eliminate those } clients and servers which do not support TLS. Exim logs cipher suite } details by default, so you can check the size of the problem at your site } by scanning your logs for the string " X=SSL". With Exim supporting TLS, the only connections which will log X=SSL (in the absence of an attack) are those for clients which do not support TLS. So, by disabling SSLv3 you have successfully identified clients which do not support TLS and now you can re-enable SSLv3, tackle getting those clients upgraded/replaced/fixed, before trying again. Yes, this is horrible. Such is life: _because_ you tried disabling SSLv3 while you still have the option to go back to it, you are not in deep trouble with no way out, so things aren't as horrible as they could be. At this point, it's no longer an Exim issue: Exim is merely the software which is helping you identify that you have a problem elsewhere. When it comes to Android: a mobile always-online device which isn't getting OS updates with security fixes is a compromised device and a walking attractive nuisance. It's deeply unfortunate that so many vendors have gotten away with dumping products on the market without regard to the lifecycle costs of protecting their customers. If this hardware is simply too old to be taking new OS images, then it's time to start planning how to replace it with new hardware which can, or looking into putting different firmware on the device yourself (cyanogenmod or whatever the cool people are using these days; I don't keep track). If this hardware is less than three years old and not getting OS updates and security fixes, the blacklist that vendor, don't buy from them again, and find a vendor who actually support the products which they sell and work to protect their customers. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
