Am Mittwoch, 29. Oktober 2014, 14:05:53 schrieben Sie: > I'm not a TLS expert, but I wanted to clarify a few things: > > On Wed, Oct 29, 2014 at 11:17 AM, elrippo <[email protected]> wrote: > > On Mittwoch, 29. Oktober 2014, 10:27:35 Cyborg wrote: > > > > i had some time for testing, and i am sorry to tell you that this is > > affected from Exim4.82 on Ubuntu 14.04 with gnutls installed. > > I did some testing with the cipher priority strings, and i find it > > absoloutely horrifying what is going on! > > I tryed different cipher suites, and then tested with swaks. > > > > 1.) Attempt > > tls_require_ciphers = > > NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128 > > > > swaks -a -tls -q HELO -s elrippoisland.net -au elrippo -ap '<>' > <snip> > > === TLS started with cipher SSLv3:RC4-SHA:128 > > You disabled all TLS protocols, only enabled SSLv3 protocol, and then > disabled all ciphers but RC4. The results in swaks confirmed that. > > > 2.) Attempt > > tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0 > > > > swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo > <snip> > > === TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256 > > You disabled all TLS protocols and only enabled SSLv3. Since you > didn't artificially limit the ciphers, it negotiated a much better one > than RC4. > > > 3.) Attempt with defaultsetting, and without any tweaking > > swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo > > *** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0)) > > *** STARTTLS attempted but failed > > > So please tell me, we can fix this guys...... > > Well, when nothing is set for the tls_require_ciphers, the string > "NORMAL" is used to init the gnutls library. What protocols and > ciphers does "NORMAL" set for gnutls? I couldn't tell from > http://gnutls.org/manual/html_node/Priority-Strings.html You may want > to experiment with other predefined settings that are in that page. > > > ...Todd > > Hy Todd,
i know, i was trying to get a client working . Currently i am using tls_require_ciphers = SECURE128:!VERS-SSL3.0 The funny thing is, with swaks from my desktop i get *** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0)) *** STARTTLS attempted but failed When i use the same desktop with a client software like kmail or thunderbird, i get a x=TLSv1.0 connection to exim4 On the other hand some other mail servers fall back to esmtp due to a lacking cipher suite, almost only googles mail server connects with TLSv1.2 I went through almost all possible priority_strings from gnutls, and NORMAL isn't working at all, only SECURE128:!VERS-SSL3.0 and SECURE256:!VERS-SSL3.0 are producing succesfull connections. This is all rather confusing to me..... I filed a report on K9-mail's site, i am not the only one :) Thank you for your assistance guys!!! Kind regards, elrippo. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
