On 2022-09-30, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 09:11, Jasen Betts via Exim-users wrote:
>> Testssl.sh primes its ALPN requests based on the port number used
>
> What does it use for 25/465/567 ? I don't know of an actual Standard;
> I just picked the obvious for Exim.
I
On Fri, Sep 30, 2022 at 06:02:35PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 16:46, Viktor Dukhovni via Exim-users wrote:
> >> 00C0C6000800:error:0A0C0103:SSL
> >> routines:tls_process_key_exchange:internal
> >> error:ssl/statem/statem_clnt.c:2254:
> >>
> >> I'll try to
On 30/09/2022 16:46, Viktor Dukhovni via Exim-users wrote:
00C0C6000800:error:0A0C0103:SSL
routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:
I'll try to find some time to file a bug. Feel free to beat me to it.
Actually, this is expected behaviour:
On Fri, Sep 30, 2022 at 11:23:47AM -0400, Viktor Dukhovni via Exim-users wrote:
> I just reproduced the problem with a fresh build of 3.0.6-dev from
> github (built on FreeBSD 12.3):
>
> $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl
> s_client -starttls smtp -tls1_1
On Fri, Sep 30, 2022 at 11:05:57AM -0400, Viktor Dukhovni via Exim-users wrote:
> > Clearing either no_tlsv1_1 or no_sslv3 has no effect.
>
> Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does
> not work with OpenSSL 3.0.5, Though it looks more like a bug to me:
>
>
On Fri, Sep 30, 2022 at 03:48:18PM +0100, Jeremy Harris via Exim-users wrote:
> OpenSSL 3.0.5 5 Jul 2022running on Fedora 36
>
> I think using the distro standard package
> openssl-1:3.0.2-4.fc36.x86_64
> (though I note the numbers don't exactly line up)
>
> The failure mode is a TLS Alert
On 30/09/2022 15:48, Jeremy Harris wrote:
OpenSSL 3.0.5 5 Jul 2022 running on Fedora 36
I think using the distro standard package
openssl-1:3.0.2-4.fc36.x86_64
(though I note the numbers don't exactly line up)
Correction: openssl-1:3.0.5-1.fc36.x86_64
probably from the Fedora "updates"
On Fri, Sep 30, 2022 at 02:09:19PM +0200, Cyborg via Exim-users wrote:
> My POV here: "why waiting". Encryption doesn't slow down todays cpus
> anymore as it has 15 years ago, same for a smartphone soc.
Mobile devices have batteries, and large RSA keys have a real packet
size and latency cost.
On 30/09/2022 15:33, Viktor Dukhovni via Exim-users wrote:
On Fri, Sep 30, 2022 at 02:04:51PM +0100, Jeremy Harris via Exim-users wrote:
Note that this client won't work against current OpenSSL
default builds.
When you say "current" you mean 3.1-dev? What is the observed failure
mode? It
On Fri, Sep 30, 2022 at 02:04:51PM +0100, Jeremy Harris via Exim-users wrote:
> Ah, the difference is the total lack of TLS extensions
> in the Client Hello.
>
> Commit ece23f05d6 pushed.
>
> Note that this client won't work against current OpenSSL
> default builds.
When you say "current" you
On 30/09/2022 09:14, Jeremy Harris via Exim-users wrote:
On 30/09/2022 06:06, Jasen Betts via Exim-users wrote:
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Curious, given that the testsuite makes
Am 29.09.22 um 12:19 schrieb Evgeniy Berdnikov via Exim-users:
corps and gov entities, which states, that 2048 bit RSA keys, for any
purpose,*should* not be used anymore in 2022.
On 30/09/2022 09:11, Jasen Betts via Exim-users wrote:
Testssl.sh primes its ALPN requests based on the port number used
What does it use for 25/465/567 ? I don't know of an actual Standard;
I just picked the obvious for Exim.
--
Cheers,
Jeremy
--
## List details at
On 30/09/2022 06:06, Jasen Betts via Exim-users wrote:
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Curious, given that the testsuite makes non-ALPN connections
all over the place. I'll try to
On 2022-09-30, Andrew C Aitchison via Exim-users wrote:
> On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
>
>> On 2022-09-30, Viktor Dukhovni via Exim-users wrote:
>>> On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
>>>
> With the older Exim, GnuTLS appears
On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
On 2022-09-30, Viktor Dukhovni via Exim-users wrote:
On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
With the older Exim, GnuTLS appears to consider six cipher suites before
finding a suitable choice (after
On 2022-09-30, Viktor Dukhovni via Exim-users wrote:
> On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
>
>> > With the older Exim, GnuTLS appears to consider six cipher suites before
>> > finding a suitable choice (after skipping all the DHE candidates).
>>
>> I can
On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
> > With the older Exim, GnuTLS appears to consider six cipher suites before
> > finding a suitable choice (after skipping all the DHE candidates).
>
> I can disable DHE_RSA by saying
>
> tls_require_ciphers =
On 2022-09-29, Viktor Dukhovni via Exim-users wrote:
> On Thu, Sep 29, 2022 at 03:31:59AM -, Jasen Betts via Exim-users wrote:
>
>> This client called itself "Paradox" in the SMTP ehlo, I think it's
>> probably an alarm system. I have an example TLS hello packet now:
>>
>>
On Thu, Sep 29, 2022 at 10:36:55AM +0200, Cyborg via Exim-users wrote:
> There is a BSI ( the german cybersecurity agency ) guideline for
> german corps and gov entities, which states, that 2048 bit RSA keys,
> for any purpose, should not be used anymore in 2022.
The BSI stance is unreasonable
On 29/09/2022 05:59, Viktor Dukhovni via Exim-users wrote:
But does the server support TLS 1.1 and
below? Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher?
This will depend on the main-config option "tls_require_ciphers",
which for GnuTLS is a "priority string". See the Gnutls docs,
On Thu, Sep 29, 2022 at 10:36:55AM +0200, Cyborg via Exim-users wrote:
> Am 28.09.22 um 17:51 schrieb Viktor Dukhovni via Exim-users:
> > I strongly disagree. There's no need to be a crypto
> > exhibitionist/maximalist. The vast majority of issuing CA RSA keys are
> > 2048-bits. The use of
Am 28.09.22 um 17:51 schrieb Viktor Dukhovni via Exim-users:
On Wed, Sep 28, 2022 at 05:08:37PM +0200, Cyborg via Exim-users wrote:
But your key is a bit short. I suggest to upgrade it to at least 4096 bits.
I strongly disagree. There's no need to be a crypto
exhibitionist/maximalist. The
On Thu, Sep 29, 2022 at 03:31:59AM -, Jasen Betts via Exim-users wrote:
> This client called itself "Paradox" in the SMTP ehlo, I think it's
> probably an alarm system. I have an example TLS hello packet now:
>
> 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900
>
On 2022-09-28, Jeremy Harris via Exim-users wrote:
> On 28/09/2022 21:10, Viktor Dukhovni via Exim-users wrote:
>> You need to analyse some failed handshake full-packet captures with
>> "tshark", and collected detailed logs from the clients that are having
>> problems.
>
> For Exim, that's
On 28/09/2022 21:10, Viktor Dukhovni via Exim-users wrote:
You need to analyse some failed handshake full-packet captures with
"tshark", and collected detailed logs from the clients that are having
problems.
For Exim, that's "-d-all+tls" as a minimum.
--
Cheers,
Jeremy
--
## List details
On Wed, Sep 28, 2022 at 07:58:27PM -, Jasen Betts via Exim-users wrote:
> > You said that ECDHE ciphers are not available, but a default connection
> > with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
>
> I did say that, I was working from scraped web pages of a third-party
>
Sorry for the slow replies, my mailing list subscription was
misconfigured
On 2022-09-28, Viktor Dukhovni via Exim-users wrote:
> On Tue, Sep 27, 2022 at 02:39:19AM -, Jasen Betts via Exim-users wrote:
>
>> it's reachable here: eximtest.duckdns.org
>>
>> eg: $ testssl
On Wed, Sep 28, 2022 at 05:08:37PM +0200, Cyborg via Exim-users wrote:
> But your key is a bit short. I suggest to upgrade it to at least 4096 bits.
I strongly disagree. There's no need to be a crypto
exhibitionist/maximalist. The vast majority of issuing CA RSA keys are
2048-bits. The use of
Am 28.09.22 um 16:28 schrieb Viktor Dukhovni via Exim-users:
Ditto on port 465 and with IPv4:
$ posttls-finger -c -lmay -Lsummary -w -o inet_protocols=ipv4 -p TLSv1.2
"[eximtest.duckdns.org]:465"
posttls-finger: Untrusted TLS connection established
to
On Wed, Sep 28, 2022 at 09:39:43AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Tue, Sep 27, 2022 at 02:39:19AM -, Jasen Betts via Exim-users wrote:
>
> > it's reachable here: eximtest.duckdns.org
> >
> > eg: $ testssl eximtest.duckdns.org:465
> >
>
> You said that ECDHE ciphers are
On Tue, Sep 27, 2022 at 02:39:19AM -, Jasen Betts via Exim-users wrote:
> it's reachable here: eximtest.duckdns.org
>
> eg: $ testssl eximtest.duckdns.org:465
>
You said that ECDHE ciphers are not available, but a default connection
with "posttls-finger" gives TLS 1.3 with an ECDHE
On 2022-09-24, Viktor Dukhovni via Exim-users wrote:
> On Fri, Sep 23, 2022 at 05:50:29AM -, Jasen Betts via Exim-users wrote:
>
>> My testing mainly involves telling exim to listen on poert 443 with
>> implicit SSL and then hitting it with www.sslcheck.com
>>
>> tls_on_connect_ports =
On 2022-09-24, Andreas Metzler via Exim-users wrote:
> On 2022-09-23 Jasen Betts via Exim-users wrote:
>> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>> connectivity (as a server).
>
>> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports
>
>>
On 2022-09-24, Jeremy Harris via Exim-users wrote:
> On 23 September 2022 06:50:29 BST, Jasen Betts via Exim-users
> wrote:
>>upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>>connectivity (as a server).
>>
>>I'm using libgnutls3.7.1 on debian 11 and the Exim package from
On Fri, Sep 23, 2022 at 05:50:29AM -, Jasen Betts via Exim-users wrote:
> My testing mainly involves telling exim to listen on poert 443 with
> implicit SSL and then hitting it with www.sslcheck.com
>
> tls_on_connect_ports = 465:443
> daemon_smtp_ports = 25:465:587:443
>
> and this
On 23 September 2022 06:50:29 BST, Jasen Betts via Exim-users
wrote:
>upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>connectivity (as a server).
>
>I'm using libgnutls3.7.1 on debian 11 and the Exim package from
>backports
Did the GnuTLS version change?
If so it
On 2022-09-23 Jasen Betts via Exim-users wrote:
> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
> connectivity (as a server).
> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports
> customers are complaining about TLS not not working
> my testing
38 matches
Mail list logo
