Re: [mailop] suddenly sendmail cannot make tls connections

Sat, 25 Jan 2020 04:46:25 -0800 

Hi John,

fine that this is solved in some way.

On Fri, Jan 24, 2020 at 09:07:51PM -0500, John Covici via mailop wrote:
> On Fri, 24 Jan 2020 20:30:36 -0500,
> John Covici via mailop wrote:
[..]
> > I first want to thank everyone who has been helping me on this
> > problem.  Well, I found something interesting, when using openssl
> > connect to the host which is (one of them) ukiah.firemountain.net  I
> > got the following output:
> > 
> > SSL_connect:before SSL initialization
> > SSL_connect:SSLv3/TLS write client hello
> > SSL_connect:SSLv3/TLS write client hello
> > SSL_connect:SSLv3/TLS read server hello
> > depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = 
> > ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> > verify error:num=66:EE certificate key too weak
[..]
> > SSL_connect:SSLv3/TLS read server certificate
> > SSL3 alert write:fatal:handshake failure
> > SSL_connect:error in error
> > 140589450400896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too 
> > small:../ssl/statem/statem_clnt.c:2150:
> > CONNECTED(00000003)
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : 0000
> >     Session-ID: 
> >     Session-ID-ctx: 
> >     Master-Key: 
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1579904838
> >     Timeout   : 7200 (sec)
> >     Verify return code: 18 (self signed certificate)
> >     Extended master secret: no

I think this is due to the change on Debian (since Debian Buster) raised the 
lower
limit to TLS 1.2. The remote site is not capable of doing TLSv1.2.

If this restriction is not given, the connection establishes with

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

One can see the very weak server key (only 1024 bit).


Johann


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to