subject:"\[exim\] GnuTTS woes"

Re: [exim] GnuTTS woes

2022-09-30 Thread Jasen Betts via Exim-users

On 2022-09-30, Jeremy Harris via Exim-users  wrote:
> On 30/09/2022 09:11, Jasen Betts via Exim-users wrote:
>> Testssl.sh primes its ALPN requests based on the port number used
>
> What does it use for 25/465/567 ?   I don't know of an actual Standard;
> I just picked the obvious for Exim.

I think nothing, I have not checked the source.

testssl also does replays of stored "TLS Hello"s representing
several different browsers they will have whatever ALPN was recorded
when they were created. 

 Further IP addresses:   2400:8907::f03c:93ff:fe2d:f557 
 rDNS (172.105.179.7):   172-105-179-7.ip.linodeusercontent.com.
 Service detected:   Couldn't determine what's running on port 465, 
assuming no HTTP service => skipping all HTTP checks

 Testing protocols via sockets except NPN+ALPN 

 SSLv2  not offered (OK)
 SSLv3  not offered (OK)

It seems mostly focussed on testing web servers,

It seems to be built around openssl (command line) and does support starttls 
for the
same protocols supported by openssl.

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 06:02:35PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 16:46, Viktor Dukhovni via Exim-users wrote:
> >>  00C0C6000800:error:0A0C0103:SSL 
> >> routines:tls_process_key_exchange:internal 
> >> error:ssl/statem/statem_clnt.c:2254:
> >>
> >> I'll try to find some time to file a bug.  Feel free to beat me to it.
>
> > Actually, this is expected behaviour:
> > 
> >  https://github.com/openssl/openssl/issues/15335#issuecomment-843843617
> 
> Including that error line?
> 
> 
> No obvious difference with that "ciphers"   :-
> 
> 17:39:23 59777 SMTP>> 220 TLS go ahead
> 17:39:23 59777 Calling SSL_accept
> 17:39:23 59777 SSL hshake_start: before SSL initialization
> 17:39:23 59777 SSL SSL_accept,state_chg: before SSL initialization
> 17:39:23 59777 SSL SSL_accept,state_chg: before SSL initialization
> 17:39:23 59777 SSL write,alert fatal:protocol version
> 17:39:23 59777 SSL SSL_accept,hshake_exit: error in error
> 17:39:23 59777 TLS error '(SSL_accept): error:100C0102:BIO routines::passed a 
> null parameter'

Do you also have a TLS version floor?  "protocol version" sure sounds
like it.  Anyway, this is perhaps a distraction from the GnuTLS issue,
which you've identifies IIRC (SSL 3.0-compatible handshake with no TLS
extensions fails against Exim + GnuTLS as reported).

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jeremy Harris via Exim-users


On 30/09/2022 16:46, Viktor Dukhovni via Exim-users wrote:

 00C0C6000800:error:0A0C0103:SSL 
routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:

I'll try to find some time to file a bug.  Feel free to beat me to it.

Actually, this is expected behaviour:

 https://github.com/openssl/openssl/issues/15335#issuecomment-843843617


Including that error line?



No obvious difference with that "ciphers"   :-

17:39:23 59777 SMTP>> 220 TLS go ahead
17:39:23 59777 Calling SSL_accept
17:39:23 59777 SSL hshake_start: before SSL initialization
17:39:23 59777 SSL SSL_accept,state_chg: before SSL initialization
17:39:23 59777 SSL SSL_accept,state_chg: before SSL initialization
17:39:23 59777 SSL write,alert fatal:protocol version
17:39:23 59777 SSL SSL_accept,hshake_exit: error in error
17:39:23 59777 TLS error '(SSL_accept): error:100C0102:BIO routines::passed a 
null parameter'


The lines starting "SSL " are SSL_CTX_set_info_callback() events;
the "error in error"  is a ret<0 with SSL_state_string_long() of "error"
(not very helpful).

The "TLS error" is a <=0 from SSL_accept()
with SSL_get_error() being SSL_ERROR_SSL;
the "null param" bit could have been directly from that error
or could have been from earlier.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 11:23:47AM -0400, Viktor Dukhovni via Exim-users wrote:

> I just reproduced the problem with a fresh build of 3.0.6-dev from
> github (built on FreeBSD 12.3):
> 
> $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl 
> s_client -starttls smtp -tls1_1 -quiet -connect localhost:25
> Can't use SSL_get_servername
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = <...>
> verify return:1
> 00C0C6000800:error:0A0C0103:SSL 
> routines:tls_process_key_exchange:internal 
> error:ssl/statem/statem_clnt.c:2254:
> 
> I'll try to find some time to file a bug.  Feel free to beat me to it.

Actually, this is expected behaviour:

https://github.com/openssl/openssl/issues/15335#issuecomment-843843617

To get SHA1 ciphers to work, one needs to set the security level to 0.

$ openssl s_client -quiet -starttls smtp -tls1_1 -cipher "ALL:@SECLEVEL=0" 
-connect $(uname -n):25
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <...>
verify return:1
250 CHUNKING
quit
221 2.0.0 Bye

Jeremy, if you retry with "@SECLEVEL=0", you should see OpenSSL work as
expected.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 11:05:57AM -0400, Viktor Dukhovni via Exim-users wrote:

> > Clearing either no_tlsv1_1 or no_sslv3 has no effect.
> 
> Of course, if there's no support, the CLI flags don't matter.  TLS 1.1 does
> not work with OpenSSL 3.0.5, Though it looks more like a bug to me:
> 
> $ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = dnssec-stats.ant.isi.edu
> verify return:1
> C0A1EBA5F27F:error:0A0C0103:SSL 
> routines:tls_process_key_exchange:internal 
> error:ssl/statem/statem_clnt.c:2252:

I just reproduced the problem with a fresh build of 3.0.6-dev from
github (built on FreeBSD 12.3):

$ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl 
s_client -starttls smtp -tls1_1 -quiet -connect localhost:25
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <...>
verify return:1
00C0C6000800:error:0A0C0103:SSL 
routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:

I'll try to find some time to file a bug.  Feel free to beat me to it.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 03:48:18PM +0100, Jeremy Harris via Exim-users wrote:

> OpenSSL 3.0.5 5 Jul 2022running on Fedora 36
> 
> I think using the distro standard package
> openssl-1:3.0.2-4.fc36.x86_64
> (though I note the numbers don't exactly line up)
>
> The failure mode is a TLS Alert complaining about version
> (I forget the precise wording, sorry)
> and followed by what looks like a library internal bug-triggered
> error for a BIO operation error.
> 
> Clearing either no_tlsv1_1 or no_sslv3 has no effect.

Of course, if there's no support, the CLI flags don't matter.  TLS 1.1 does
not work with OpenSSL 3.0.5, Though it looks more like a bug to me:

$ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dnssec-stats.ant.isi.edu
verify return:1
C0A1EBA5F27F:error:0A0C0103:SSL 
routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2252:

Things work better with TLS 1.2:

$ openssl s_client -quiet -starttls smtp -tls1_2 -connect $(uname -n):25
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dnssec-stats.ant.isi.edu
verify return:1
250 CHUNKING
QUIT
221 2.0.0 Bye

If this is still broken in 3.0.6-dev, a bug report may be appropriate.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jeremy Harris via Exim-users


On 30/09/2022 15:48, Jeremy Harris wrote:

OpenSSL 3.0.5 5 Jul 2022    running on Fedora 36

I think using the distro standard package
openssl-1:3.0.2-4.fc36.x86_64
(though I note the numbers don't exactly line up)


Correction:  openssl-1:3.0.5-1.fc36.x86_64
probably from the Fedora "updates" repo.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 02:09:19PM +0200, Cyborg via Exim-users wrote:

> My POV here: "why waiting".  Encryption doesn't slow down todays cpus 
> anymore as it has 15 years ago, same for a smartphone soc.

Mobile devices have batteries, and large RSA keys have a real packet
size and latency cost.  Keys larger than 2048-bits are largely futile.
No plausible classical attack can brute-force them.  Various OS packages
are typically signed with 2048-bit keys, transmitted via TLS connections
authenticated with 2048-bit RSA, ...

My take is that 3072-bit RSA and especially 4096-bit RSA is for most
users a fashion statement, rather than a technically sound choice.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jeremy Harris via Exim-users


On 30/09/2022 15:33, Viktor Dukhovni via Exim-users wrote:

On Fri, Sep 30, 2022 at 02:04:51PM +0100, Jeremy Harris via Exim-users wrote:

Note that this client won't work against current OpenSSL
default builds.


When you say "current" you mean 3.1-dev?  What is the observed failure
mode?  It "works" against the latest OpenSSL 1.1.1 (the server responds
with server hello, certificate, ..., server hello done).

Perhaps TLS 1.1 is not enabled in your build?


OpenSSL 3.0.5 5 Jul 2022running on Fedora 36

I think using the distro standard package
openssl-1:3.0.2-4.fc36.x86_64
(though I note the numbers don't exactly line up)

The failure mode is a TLS Alert complaining about version
(I forget the precise wording, sorry)
and followed by what looks like a library internal bug-triggered
error for a BIO operation error.

Clearing either no_tlsv1_1 or no_sslv3 has no effect.


Let me know if you need a repeat run.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 02:04:51PM +0100, Jeremy Harris via Exim-users wrote:

> Ah, the difference is the total lack of TLS extensions
> in the Client Hello.
> 
> Commit ece23f05d6 pushed.
> 
> Note that this client won't work against current OpenSSL
> default builds.

When you say "current" you mean 3.1-dev?  What is the observed failure
mode?  It "works" against the latest OpenSSL 1.1.1 (the server responds
with server hello, certificate, ..., server hello done).

Perhaps TLS 1.1 is not enabled in your build?

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jeremy Harris via Exim-users


On 30/09/2022 09:14, Jeremy Harris via Exim-users wrote:

On 30/09/2022 06:06, Jasen Betts via Exim-users wrote:

It seems to be ALPN causing the problem.

this was the commit that "broke" it...

commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)


Curious, given that the testsuite makes non-ALPN connections
all over the place.  I'll try to duplicate your config
and connection within the testsuite...


Ah, the difference is the total lack of TLS extensions
in the Client Hello.

Commit ece23f05d6 pushed.


Note that this client won't work against current OpenSSL
default builds.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Cyborg via Exim-users


Am 29.09.22 um 12:19 schrieb Evgeniy Berdnikov via Exim-users:



corps and gov entities, which states, that 2048 bit RSA keys, for any
purpose,*should*  not be used anymore in 2022.

  
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile=10

  Comment to table 3.1:

  | For a period of use beyond 2022, it is recommended to use RSA/DLIES
  | keys of 3000 bits length to achieve a consistent level of security in
  | all recommended asymmetric encryption schemes. The key length of 2000
  | bits will remain compliant with this Technical Guideline for DLIES
  | keys until the end of 2022, and also transitionally for RSA keys until
  | the end of 2023.

  So, BSI statement is significantly different from what you wrote.



"recommended" is a suggestion to do something, not an enforcement. So 
"should" is the correct form.


To shorten this up: 'You "should" use bigger keys, for a usage beyond 
2022, but you don't need to.' (to stay compliant with the tr)


My POV here: "why waiting".  Encryption doesn't slow down todays cpus 
anymore as it has 15 years ago, same for a smartphone soc.


best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jeremy Harris via Exim-users


On 30/09/2022 09:11, Jasen Betts via Exim-users wrote:

Testssl.sh primes its ALPN requests based on the port number used


What does it use for 25/465/567 ?   I don't know of an actual Standard;
I just picked the obvious for Exim.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jeremy Harris via Exim-users


On 30/09/2022 06:06, Jasen Betts via Exim-users wrote:

It seems to be ALPN causing the problem.

this was the commit that "broke" it...

commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)


Curious, given that the testsuite makes non-ALPN connections
all over the place.  I'll try to duplicate your config
and connection within the testsuite...
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-30 Thread Jasen Betts via Exim-users

On 2022-09-30, Andrew C Aitchison via Exim-users  wrote:
> On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
>
>> On 2022-09-30, Viktor Dukhovni via Exim-users  wrote:
>>> On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
>>>
> With the older Exim, GnuTLS appears to consider six cipher suites before
> finding a suitable choice (after skipping all the DHE candidates).

 I can disable DHE_RSA by saying

 tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA

 and now it chooses the same suite that 4.94 was choosing
 but there is still an error after the suite is chosen.
>>>
>>> You could keep debugging GnuTLS, or just use a version of Exim with TLS
>>> support via OpenSSL, which will likely just work.  Your call.
>>>
>>> Some resource that GnuTLS expects to use is not available when it is
>>> initialised by the problem version of Exim.  If not a DHE group,
>>> likely something else related cryptography.  To debug, you'd need
>>> to figure out where that error is raised.  Lack of help from strace
>>> is not unexpected.
>>
>> It seems to be ALPN causing the problem.
>>
>> this was the commit that "broke" it...
>>
>> commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
>> Author: Jeremy Harris 
>> Date:   Tue Jun 22 23:04:59 2021 +0100
>>
>>TLS: as server, reject connections with ALPN indicating non-smtp use
>>
>> The problem seems to be "gnutls_ext_raw_parse" returning
>> GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
>> (or when no extensions are being used?) this is undocumented
>> behaviour, but is sematically compatible with the description of that
>> function.
>
> IIRC you were testing on port 443.

Recently I changed to testing on 465.

Testing 4.96 on 443 showed negative results for many web browsers
(unsurprisingly now) versin 4.94 (which was released just before ALPN
was implemented in exim) gives positive results.

> Just out of interest,
> what happens if you use a port without a special TLS meaning ?

Recently I've just been replaying the recorded Paradox "TLS hello" for testing.

Testssl.sh primes its ALPN requests based on the port number used (but
that can probably be overridden)

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Andrew C Aitchison via Exim-users


On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:


On 2022-09-30, Viktor Dukhovni via Exim-users  wrote:

On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:


With the older Exim, GnuTLS appears to consider six cipher suites before
finding a suitable choice (after skipping all the DHE candidates).


I can disable DHE_RSA by saying

tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA

and now it chooses the same suite that 4.94 was choosing
but there is still an error after the suite is chosen.


You could keep debugging GnuTLS, or just use a version of Exim with TLS
support via OpenSSL, which will likely just work.  Your call.

Some resource that GnuTLS expects to use is not available when it is
initialised by the problem version of Exim.  If not a DHE group,
likely something else related cryptography.  To debug, you'd need
to figure out where that error is raised.  Lack of help from strace
is not unexpected.


It seems to be ALPN causing the problem.

this was the commit that "broke" it...

commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Author: Jeremy Harris 
Date:   Tue Jun 22 23:04:59 2021 +0100

   TLS: as server, reject connections with ALPN indicating non-smtp use

The problem seems to be "gnutls_ext_raw_parse" returning
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
(or when no extensions are being used?) this is undocumented
behaviour, but is sematically compatible with the description of that
function.


IIRC you were testing on port 443.

Just out of interest,
what happens if you use a port without a special TLS meaning ?

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Jasen Betts via Exim-users

On 2022-09-30, Viktor Dukhovni via Exim-users  wrote:
> On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
>
>> > With the older Exim, GnuTLS appears to consider six cipher suites before
>> > finding a suitable choice (after skipping all the DHE candidates).
>> 
>> I can disable DHE_RSA by saying
>> 
>> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
>> 
>> and now it chooses the same suite that 4.94 was choosing 
>> but there is still an error after the suite is chosen.
>
> You could keep debugging GnuTLS, or just use a version of Exim with TLS
> support via OpenSSL, which will likely just work.  Your call.
>
> Some resource that GnuTLS expects to use is not available when it is
> initialised by the problem version of Exim.  If not a DHE group,
> likely something else related cryptography.  To debug, you'd need
> to figure out where that error is raised.  Lack of help from strace
> is not unexpected.

It seems to be ALPN causing the problem.

this was the commit that "broke" it... 

commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Author: Jeremy Harris 
Date:   Tue Jun 22 23:04:59 2021 +0100

TLS: as server, reject connections with ALPN indicating non-smtp use

The problem seems to be "gnutls_ext_raw_parse" returning
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
(or when no extensions are being used?) this is undocumented
behaviour, but is sematically compatible with the description of that
function.



This patch seems to fix it in my test case. I will try real-world tests next 
week.


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7a6db94e1..9fc921064 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1142,8 +1142,9 @@ tls_server_clienthello_cb(gnutls_session_t session, 
unsigned int htype,
   unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
 {
 /* Call fn for each extension seen.  3.6.3 onwards */
-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+ int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
   GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+ return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc ;
 }


-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:

> > With the older Exim, GnuTLS appears to consider six cipher suites before
> > finding a suitable choice (after skipping all the DHE candidates).
> 
> I can disable DHE_RSA by saying
> 
> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
> 
> and now it chooses the same suite that 4.94 was choosing 
> but there is still an error after the suite is chosen.

You could keep debugging GnuTLS, or just use a version of Exim with TLS
support via OpenSSL, which will likely just work.  Your call.

Some resource that GnuTLS expects to use is not available when it is
initialised by the problem version of Exim.  If not a DHE group,
likely something else related cryptography.  To debug, you'd need
to figure out where that error is raised.  Lack of help from strace
is not unexpected.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Jasen Betts via Exim-users

On 2022-09-29, Viktor Dukhovni via Exim-users  wrote:
> On Thu, Sep 29, 2022 at 03:31:59AM -, Jasen Betts via Exim-users wrote:
>
>> This client called itself "Paradox" in the SMTP ehlo, I think it's
>> probably an alarm system. I have an example TLS hello packet now:
>> 
>> 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900
>> d052828c650ccd8c020040180033003900450088001600350084002f0041
>> 000a000500040100
>
> The "tshark" decode for this Client Hello is:
>
> Transport Layer Security
> SSLv3 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> Length: 67
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 63
> Version: TLS 1.1 (0x0302)
> Random: 
> 923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
> GMT Unix Time: Feb  7, 2106 01:28:15.0 EST
> Random Bytes: 
> 923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
> Session ID Length: 0
> Cipher Suites Length: 24
> Cipher Suites (12 suites)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 
> (0x0045)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 
> (0x0088)
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Compression Method: null (0)
>
> So this client seems to support SSL 3.0 through TLS 1.1, with RSA and
> mostly SHA1.  The TLS Client HELLO includes no TLS 1.0 extensions.
>
>> tls_require_ciphers expands to "NORMAL:%COMPAT"
>> 433834 TLS: preloading cipher list for server: NORMAL:%COMPAT
>> 433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 
>> groups into priority list
>> 433838 Initialising GnuTLS server params
>> 433838 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for 
>> compatibility
>
> First client cipher chosen.  But does the server support TLS 1.1 and
> below?  Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher?
>
>> 433838 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.33: 
>> GNUTLS_DHE_RSA_AES_128_CBC_SHA1
>> 433838  error -56 from gnutls_handshake: The requested data were not 
>> available.
>
> Here, the first ciphersuite is chosen, but perhaps then fails for lack
> of appropriate DHE parameters?  There may be some adverse interaction
> between DHE group selection and TLS 1.1 and below in the newer Exim.
>
>> 435388 TLS: no SNI presented in handshake.
>> 435388 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for 
>> compatibility
>> 435388 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for 
>> compatibility
>> 435388 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for 
>> compatibility
>> 435388 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for 
>> compatibility
>> 435388 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for 
>> compatibility
>> 435388 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for 
>> compatibility
>> 435388 GnuTLS<3>: ASSERT: 
>> ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
>> 435388 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: 
>> GNUTLS_RSA_AES_256_CBC_SHA1
>
> With the older Exim, GnuTLS appears to consider six cipher suites before
> finding a suitable choice (after skipping all the DHE candidates).

I can disable DHE_RSA by saying

tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA

and now it chooses the same suite that 4.94 was choosing 
but there is still an error after the suite is chosen.

442134 Initialising GnuTLS server params
442134 Loading default hard-coded DH params
442134 GnuTLS<3>: ASSERT: ../../lib/dh.c[gnutls_dh_params_import_pkcs3]:556
442134 Loaded fixed standard D-H parameters
442134 cipher list preloaded
442134 TLS: a client certificate will not be requested
442134 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1185
442134 GnuTLS<3>: ASSERT: ../../lib/db.c[_gnutls_server_restore_session]:334
442134 GnuTLS<3>: ASSERT:

Re: [exim] GnuTTS woes

2022-09-29 Thread Viktor Dukhovni via Exim-users

On Thu, Sep 29, 2022 at 10:36:55AM +0200, Cyborg via Exim-users wrote:

> There is a BSI ( the german cybersecurity agency ) guideline for
> german corps and gov entities, which states, that 2048 bit RSA keys,
> for any purpose, should not be used anymore in 2022.

The BSI stance is unreasonable for almost all users and threat models.
Perhaps there are some sensitive military or diplomatic applications in
which RSA is used in key transport mode, and where it is anticipated
that classical brute-force attacks with 2^112 cost (~10^12 times the
cost of the largest scale attacks demonstrated to date) are somehow
possible and economically justified, and 2^128 saves the day.

> Can you state, why you think, that this 2048 bit key is only used for 
> authentication, rather than for TLS encryption? I think, it is used, as 
> it's presented on port 25.

Other than with outdated RSA key transport, almost all TLS clients
prefer DHE or ECDHE, where RSA just signs (authenticates) the key
exchange, rather than encrypts or decrypts the key.

Clients old enough to not support DHE or ECDHE generally have more
severe problems than vulnerability to 2^112 attacks.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Jeremy Harris via Exim-users


On 29/09/2022 05:59, Viktor Dukhovni via Exim-users wrote:

But does the server support TLS 1.1 and
below?  Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher?


This will depend on the main-config option "tls_require_ciphers",
which for GnuTLS is a "priority string".  See the Gnutls docs,
eg.
  https://www.gnutls.org/manual/html_node/Priority-Strings.html

The Exim default fo the option (with GnuTLS) is "NORMAL" - you get
whatever the GnuTLS library version decides.
That could in turn depend on per-system policies.

Note that permitting TLSv1.1 is downgrading your security.
You might want to only permit it for this client, eg. by
using an expansion depending on the IP.  Doing so will, however,
mean that Exim cannot pre-load that portion of library setup.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Evgeniy Berdnikov via Exim-users

On Thu, Sep 29, 2022 at 10:36:55AM +0200, Cyborg via Exim-users wrote:
> Am 28.09.22 um 17:51 schrieb Viktor Dukhovni via Exim-users:
> > I strongly disagree.  There's no need to be a crypto
> > exhibitionist/maximalist.  The vast majority of issuing CA RSA keys are
> > 2048-bits.  The use of 4096-bit keys is pointless waste of CPU,
> 
> There is a BSI ( the german cybersecurity agency ) guideline for german
> corps and gov entities, which states, that 2048 bit RSA keys, for any
> purpose,
> should not be used anymore in 2022.

 
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile=10

 Comment to table 3.1:

 | For a period of use beyond 2022, it is recommended to use RSA/DLIES
 | keys of 3000 bits length to achieve a consistent level of security in
 | all recommended asymmetric encryption schemes. The key length of 2000
 | bits will remain compliant with this Technical Guideline for DLIES
 | keys until the end of 2022, and also transitionally for RSA keys until
 | the end of 2023.

 So, BSI statement is significantly different from what you wrote.
 
> Can you state, why you think, that this 2048 bit key is only used for
> authentication, rather than for TLS encryption? I think, it is used, as it's
> presented on port 25.

 You have better to study basics of TLS, really.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-29 Thread Cyborg via Exim-users


Am 28.09.22 um 17:51 schrieb Viktor Dukhovni via Exim-users:

On Wed, Sep 28, 2022 at 05:08:37PM +0200, Cyborg via Exim-users wrote:


But your key is a bit short. I suggest to upgrade it to at least 4096 bits.

I strongly disagree.  There's no need to be a crypto
exhibitionist/maximalist.  The vast majority of issuing CA RSA keys are
2048-bits.  The use of 4096-bit keys is pointless waste of CPU,



There is a BSI ( the german cybersecurity agency ) guideline for german 
corps and gov entities, which states, that 2048 bit RSA keys, for any 
purpose,

should not be used anymore in 2022.

Although, it's an EllipticCurve Key, so it's long enough. I did not 
considers this in my answere, my fault.


Can you state, why you think, that this 2048 bit key is only used for 
authentication, rather than for TLS encryption? I think, it is used, as 
it's presented on port 25.


best regards,
Marius




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Viktor Dukhovni via Exim-users

On Thu, Sep 29, 2022 at 03:31:59AM -, Jasen Betts via Exim-users wrote:

> This client called itself "Paradox" in the SMTP ehlo, I think it's
> probably an alarm system. I have an example TLS hello packet now:
> 
> 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900
> d052828c650ccd8c020040180033003900450088001600350084002f0041
> 000a000500040100

The "tshark" decode for this Client Hello is:

Transport Layer Security
SSLv3 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 67
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 63
Version: TLS 1.1 (0x0302)
Random: 
923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
GMT Unix Time: Feb  7, 2106 01:28:15.0 EST
Random Bytes: 
923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
Session ID Length: 0
Cipher Suites Length: 24
Cipher Suites (12 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)

So this client seems to support SSL 3.0 through TLS 1.1, with RSA and
mostly SHA1.  The TLS Client HELLO includes no TLS 1.0 extensions.

> tls_require_ciphers expands to "NORMAL:%COMPAT"
> 433834 TLS: preloading cipher list for server: NORMAL:%COMPAT
> 433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 
> groups into priority list
> 433838 Initialising GnuTLS server params
> 433838 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for 
> compatibility

First client cipher chosen.  But does the server support TLS 1.1 and
below?  Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher?

> 433838 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.33: 
> GNUTLS_DHE_RSA_AES_128_CBC_SHA1
> 433838  error -56 from gnutls_handshake: The requested data were not 
> available.

Here, the first ciphersuite is chosen, but perhaps then fails for lack
of appropriate DHE parameters?  There may be some adverse interaction
between DHE group selection and TLS 1.1 and below in the newer Exim.

> 435388 TLS: no SNI presented in handshake.
> 435388 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for 
> compatibility
> 435388 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for 
> compatibility
> 435388 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for 
> compatibility
> 435388 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for 
> compatibility
> 435388 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for 
> compatibility
> 435388 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for 
> compatibility
> 435388 GnuTLS<3>: ASSERT: 
> ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
> 435388 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: 
> GNUTLS_RSA_AES_256_CBC_SHA1

With the older Exim, GnuTLS appears to consider six cipher suites before
finding a suitable choice (after skipping all the DHE candidates).

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Jasen Betts via Exim-users

On 2022-09-28, Jeremy Harris via Exim-users  wrote:
> On 28/09/2022 21:10, Viktor Dukhovni via Exim-users wrote:
>> You need to analyse some failed handshake full-packet captures  with
>> "tshark", and collected detailed logs from the clients that are having
>> problems.
>
> For Exim, that's "-d-all+tls" as a minimum.

Thanks.

This client called itself "Paradox" in the SMTP ehlo, I think it's
probably an alarm system. I have an example TLS hello packet now:

160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900
d052828c650ccd8c020040180033003900450088001600350084002f0041
000a000500040100

And I'm able to provoke the error message by replaying it.

( sleep 1 ; xxd -c 32 -r << XDATA
000 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900
020 d052828c650ccd8c020040180033003900450088001600350084002f0041
040 000a000500040100
XDATA
 sleep 4 ; echo quit ; echo quit ; sleep 5 ) | nc localhost 465


root@eximtest:~# exim -bd -d-all+tls
Exim version 4.96 uid=0 gid=0 pid=433834 D=1000
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS TLS_resume 
move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP 
PIPECONNECT PRDR PROXY Queue_Ramp SOCKS SPF SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz 
dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot external plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
  Runtime: Berkeley DB 5.3.28: (September  9, 2013)
Library version: GnuTLS: Compile: 3.7.1
 Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
   Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
 Runtime: 1.33
Library version: spf2: Compile: 1.2.10
   Runtime: 1.2.10
Library version: Cyrus SASL: Compile: 2.1.27
 Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE2: Compile: 10.36
Runtime: 10.36 2020-12-04
Library version: MySQL: Compile: 100515 10.5.15 [mariadb-10.5]
Runtime: 100515 10.5.15
Library version: SQLite: Compile: 3.34.1
 Runtime: 3.34.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
configuration file is /var/lib/exim4/config.autogenerated
log selectors = cffc 64205022 001c
cwd=/root 3 args: exim -bd -d-all+tls
trusted user
admin user
dropping to exim gid; retaining priv uid
fresh-exec forking for cipher-validate
fresh-exec forked for cipher-validate: 433835
postfork: cipher-validate
tls_require_ciphers expands to "NORMAL:%COMPAT"
 Exim pid=433835 (cipher-validate) terminating with rc=0 
 
tls_validate_require_cipher child 433835 ended: status=0x0
433834 creating notifier socket
433834  @/var/spool/exim4/exim_daemon_notify
433834 listening on all interfaces (IPv6) port 25
433834 listening on all interfaces (IPv4) port 25
433834 listening on all interfaces (IPv6) port 465
433834 listening on all interfaces (IPv4) port 465
433834 listening on all interfaces (IPv6) port 587
433834 listening on all interfaces (IPv4) port 587
433834 listening on all interfaces (IPv6) port 443
433834 listening on all interfaces (IPv4) port 443
433834 pid written to /run/exim4/exim.pid
433834 LOG: MAIN
433834   exim 4.96 daemon started: pid=433834, no queue runs, listening for 
SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 
465 (IPv6 and IPv4) port 443 (IPv6 and IPv4)
433834 GnuTLS global init required
433834 TLS: basic cred init, server
433834 tls_set_watch: '/etc/exim4/duck.certkey'
433834 watch dir '/etc/exim4'
433834 TLS: preloading server certs
433834 GnuTLS<3>: ASSERT: 
../../../lib/x509/attributes.c[_x509_parse_attribute]:103
433834 GnuTLS<3>: ASSERT: 
../../../lib/x509/attributes.c[_x509_parse_attribute]:174
433834 GnuTLS<3>: ASSERT: 
../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848
433834 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
433834 TLS: cert/key 0 /etc/exim4/duck.certkey registered
433834 TLS: not preloading CA bundle for server
433834 TLS: preloading cipher list for server: NORMAL:%COMPAT
433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 
groups into priority list
433834 TLS: basic cred init, client
433834 TLS: not preloading client certs, for

Re: [exim] GnuTTS woes

2022-09-28 Thread Jeremy Harris via Exim-users


On 28/09/2022 21:10, Viktor Dukhovni via Exim-users wrote:

You need to analyse some failed handshake full-packet captures  with
"tshark", and collected detailed logs from the clients that are having
problems.


For Exim, that's "-d-all+tls" as a minimum.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Viktor Dukhovni via Exim-users

On Wed, Sep 28, 2022 at 07:58:27PM -, Jasen Betts via Exim-users wrote:

> > You said that ECDHE ciphers are not available, but a default connection
> > with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
> 
> I did say that, I was working from scraped web pages of a third-party
> analysis at the time... I've since found testssl.sh (which is easier to
> use) and by tweaking the priority string have turned on the same
> cyphers.
> 
> accordingto testssl.sh The only feature currently missing is
> maximum_fragment_size,  (and the ability to support several client platforms)
> I think I may have to run a bisection search on the source code to figure out
> where that fell off.

That particular extension is hardly likely to be particularly important.
I think you're barking up the wrong tree.  Whatever the problem is, it
is likely somewhere entirely different.

You need to analyse some failed handshake full-packet captures  with
"tshark", and collected detailed logs from the clients that are having
problems.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Jasen Betts via Exim-users

Sorry for the slow replies, my mailing list subscription was
misconfigured 

On 2022-09-28, Viktor Dukhovni via Exim-users  wrote:
> On Tue, Sep 27, 2022 at 02:39:19AM -, Jasen Betts via Exim-users wrote:
>
>> it's reachable here:  eximtest.duckdns.org
>> 
>> eg: $  testssl eximtest.duckdns.org:465
>> 
>
> You said that ECDHE ciphers are not available, but a default connection
> with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
>

I did say that, I was working from scraped web pages of a third-party
analysis at the time... I've since found testssl.sh (which is easier to
use) and by tweaking the priority string have turned on the same
cyphers.

accordingto testssl.sh The only feature currently missing is
maximum_fragment_size,  (and the ability to support several client platforms)
I think I may have to run a bisection search on the source code to figure out
where that fell off.

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Viktor Dukhovni via Exim-users

On Wed, Sep 28, 2022 at 05:08:37PM +0200, Cyborg via Exim-users wrote:

> But your key is a bit short. I suggest to upgrade it to at least 4096 bits.

I strongly disagree.  There's no need to be a crypto
exhibitionist/maximalist.  The vast majority of issuing CA RSA keys are
2048-bits.  The use of 4096-bit keys is pointless waste of CPU,
especially given that these are *authentication* keys, not encryption
keys, so don't need to remain secure after they're replaced.

And keep in mind tht SMTP clients mostly still ignore the server
certificate entirely.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Cyborg via Exim-users


Am 28.09.22 um 16:28 schrieb Viktor Dukhovni via Exim-users:


Ditto on port 465 and with IPv4:

 $ posttls-finger -c -lmay -Lsummary -w -o inet_protocols=ipv4 -p TLSv1.2 
"[eximtest.duckdns.org]:465"
 posttls-finger: Untrusted TLS connection established
 to eximtest.duckdns.org[172.105.179.7]:465:
 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)



Same with openssl:

TLS 1.3

openssl s_client --connect eximtest.duckdns.org:25 -starttls smtp
CONNECTED(0003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit

TLS 1.2:

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported


But your key is a bit short. I suggest to upgrade it to at least 4096 bits.

best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Viktor Dukhovni via Exim-users

On Wed, Sep 28, 2022 at 09:39:43AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Tue, Sep 27, 2022 at 02:39:19AM -, Jasen Betts via Exim-users wrote:
> 
> > it's reachable here:  eximtest.duckdns.org
> > 
> > eg: $  testssl eximtest.duckdns.org:465
> > 
> 
> You said that ECDHE ciphers are not available, but a default connection
> with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
> 
> posttls-finger: Untrusted TLS connection established
> to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
> TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
> server-digest SHA256
> 
> If I force TLS 1.2, I get (slightly less detailed cipher breakdown for
> TLS 1.2 in Postfix):
> 
> posttls-finger: Untrusted TLS connection established
> to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 
> Either this is not the server in question, or ECDHE is working just
> fine...

Ditto on port 465 and with IPv4:

$ posttls-finger -c -lmay -Lsummary -w -o inet_protocols=ipv4 -p TLSv1.2 
"[eximtest.duckdns.org]:465"
posttls-finger: Untrusted TLS connection established
to eximtest.duckdns.org[172.105.179.7]:465:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Viktor Dukhovni via Exim-users

On Tue, Sep 27, 2022 at 02:39:19AM -, Jasen Betts via Exim-users wrote:

> it's reachable here:  eximtest.duckdns.org
> 
> eg: $  testssl eximtest.duckdns.org:465
> 

You said that ECDHE ciphers are not available, but a default connection
with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:

posttls-finger: Untrusted TLS connection established
to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
server-digest SHA256

If I force TLS 1.2, I get (slightly less detailed cipher breakdown for
TLS 1.2 in Postfix):

posttls-finger: Untrusted TLS connection established
to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Either this is not the server in question, or ECDHE is working just
fine...

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Jasen Betts via Exim-users

On 2022-09-24, Viktor Dukhovni via Exim-users  wrote:
> On Fri, Sep 23, 2022 at 05:50:29AM -, Jasen Betts via Exim-users wrote:
>
>> My testing mainly involves telling exim to listen on poert 443 with
>> implicit SSL and then hitting it with www.sslcheck.com 
>> 
>>   tls_on_connect_ports = 465:443
>>   daemon_smtp_ports = 25:465:587:443
>> 
>> and this testing also shows a change in the availalbe suites.
>> 
>> It mainly seems to be ECDH suites that are no longer avaialable.
>
> There's a big difference between "ECDH" and "ECDHE", the "fixed" DH/ECDH
> ciphers are deprecated, rarely used, and should not be used.  While DHE
> and ECDHE ciphers are preferred.  If GnuTLS disabled these, no harm done.
>
> If you post the name of the server, it would be possible for others to
> confirm your observations and perhaps offer more detailed help.

the server is nothing special, basically a stock debian 11 with exim
installed from debian backports, and a certificate from letsencrypt.

I'm working towards minimum steps to reproduce by eliminating as
many other factors as possible..

I'm using a free dynamic domain name to protect the guilty.

it's reachable here:  eximtest.duckdns.org

eg: $  testssl eximtest.duckdns.org:465

once I find a good configuration I will deploy it on production
servers.


-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Jasen Betts via Exim-users

On 2022-09-24, Andreas Metzler via Exim-users  wrote:
> On 2022-09-23 Jasen Betts via Exim-users  wrote:
>> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>> connectivity (as a server).
>
>> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports 
>
>> customers are complaining about TLS not not working
>
>> my testing mainly involves telling exim to listen on poert 443 with
>> implicit SSL and then hitting it with www.sslcheck.com 

I have since discovered the script testssl.sh 
which gives the same results, faster.

>> and this testing also shows a change in the availalbe suites.
>
>> It mainly seems to be ECDH suites that are no longer avaialable.
>
> Hello,
>
> I suspect you have only installed a EC/ECDSA certificate, you will also
> need a RSA certificate for maximum compatibility.

On my test server I'm using an RSA certificate from letsencrypt. it
doesn't seem to make any difference.

I can align the list cipher suites on both versions by disabling DHE-RSA on
the new server, but that didn't help. 

according to testssl.sh the only protocol difference seems to be that the new
version isn't offering tls extension "max fragment length/#1" I can't
find a way to enable this to test if it makes any difference.

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-28 Thread Jasen Betts via Exim-users

On 2022-09-24, Jeremy Harris via Exim-users  wrote:
> On 23 September 2022 06:50:29 BST, Jasen Betts via Exim-users 
>  wrote:
>>upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>>connectivity (as a server).
>>
>>I'm using libgnutls3.7.1 on debian 11 and the Exim package from
>>backports 
>
>
>
> Did the GnuTLS version change?
> If so it could be that rather than
> the Exim version change.
>
> You need to disentangle.

the version of gnutls is the same: this one.

lrwxrwxrwx 1 root root  20 Aug 7 14:30 x86_64-linux-gnu/libgnutls.so -> 
libgnutls.so.30.29.1
lrwxrwxrwx 1 root root  20 Aug 7 14:30 x86_64-linux-gnu/libgnutls.so.30 -> 
libgnutls.so.30.29.1
-rw-r--r-- 1 root root 2086552 Aug 7 14:30 x86_64-linux-gnu/libgnutls.so.30.29.1

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-24 Thread Viktor Dukhovni via Exim-users

On Fri, Sep 23, 2022 at 05:50:29AM -, Jasen Betts via Exim-users wrote:

> My testing mainly involves telling exim to listen on poert 443 with
> implicit SSL and then hitting it with www.sslcheck.com 
> 
>   tls_on_connect_ports = 465:443
>   daemon_smtp_ports = 25:465:587:443
> 
> and this testing also shows a change in the availalbe suites.
> 
> It mainly seems to be ECDH suites that are no longer avaialable.

There's a big difference between "ECDH" and "ECDHE", the "fixed" DH/ECDH
ciphers are deprecated, rarely used, and should not be used.  While DHE
and ECDHE ciphers are preferred.  If GnuTLS disabled these, no harm done.

If you post the name of the server, it would be possible for others to
confirm your observations and perhaps offer more detailed help.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-24 Thread Jeremy Harris via Exim-users

On 23 September 2022 06:50:29 BST, Jasen Betts via Exim-users 
 wrote:
>upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>connectivity (as a server).
>
>I'm using libgnutls3.7.1 on debian 11 and the Exim package from
>backports 



Did the GnuTLS version change?
If so it could be that rather than
the Exim version change.

You need to disentangle.
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

2022-09-24 Thread Andreas Metzler via Exim-users

On 2022-09-23 Jasen Betts via Exim-users  wrote:
> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
> connectivity (as a server).

> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports 

> customers are complaining about TLS not not working

> my testing mainly involves telling exim to listen on poert 443 with
> implicit SSL and then hitting it with www.sslcheck.com 

>   tls_on_connect_ports = 465:443
>   daemon_smtp_ports = 25:465:587:443

> and this testing also shows a change in the availalbe suites.

> It mainly seems to be ECDH suites that are no longer avaialable.

Hello,

I suspect you have only installed a EC/ECDSA certificate, you will also
need a RSA certificate for maximum compatibility.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] GnuTTS woes

2022-09-24 Thread Jasen Betts via Exim-users

upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
connectivity (as a server).

I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports 

customers are complaining about TLS not not working

my testing mainly involves telling exim to listen on poert 443 with
implicit SSL and then hitting it with www.sslcheck.com 

  tls_on_connect_ports = 465:443
  daemon_smtp_ports = 25:465:587:443

and this testing also shows a change in the availalbe suites.

It mainly seems to be ECDH suites that are no longer avaialable.

I'm not sure how to proceed.

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

39 matches

Mail list logo