Am 07.12.2014 um 18:02 schrieb Jan Kowalski:
Dnia , o godz.
"Steffan A. Cline" <stef...@hldns.com> napisaĆ(a):
have you resolved this problem yet?
I reproduce it when I connect via either imap or smtp from claws-mail
linked against gnutls 3.3.10-1 to a postfix server with dovecot sasl
enabled.
In my case it is caused by my dovecot configuration, namely:
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
According to [1]:
It seems that following poodle many sites incorrectly banned SSL 3.0
record packet versions. Since gnutls uses an SSL 3.0 record to
advertise TLS 1.2, they are effectively banning it even if it doesn't
advertise SSL 3.0.
After removing SSLv3 from ssl_cipher_list the client connected
successfully. I'm not really sure though if it is a proper workaround
or am I opening a possible attack vector; I will be carrying out more
tests next weekend. However, I don't think it's necessary for gnutls to
behave this way, NSS works fine in either configuration.
remove the !SSLv3 from "ssl_cipher_list" is the proper configuration
hence both options exists
that's not gnutls specific
Outlook on WinXP beahves the same way
ssl_prefer_server_ciphers = yes
ssl_options = no_compression
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA
