Re: how to ignore TLS1.3 for test purposes?

2020-07-29 Thread Harald Dunkel

On 2020-07-29 04:12, Larkin Nickle wrote:


Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the 
control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think 
"HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell 
according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be 
a useful starting point.



That helped alot. Using TLS 1.2 I was able to actually see something
in the tcpdump (see attachment).

Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the
peer, including a list of ciphers and several extensions. The peer
(buxtehude.debian.org) answers with "Handshake failure", but it
doesn't tell what exactly is wrong. See attachment.

Any ideas? I am sure you guys are more proficient in reading TLS
protocol than I am.


Harri


buxtehude.debian.org.pcap
Description: application/vnd.tcpdump.pcap


Re: how to ignore TLS1.3 for test purposes?

2020-07-28 Thread Larkin Nickle

On 2020-07-28 02:56, Harald Dunkel wrote:

Hi folks,

there seems to be a compatibility issue between opensmtpd on
OpenBSD 6.7 and exim4 on Debian's bugtracker, see

 https://lists.debian.org/debian-user/2020/07/msg01091.html

Most recent syspatches are applied, of course. I cannot reproduce
this problem with opensmtpd 6.7.1-p1 on Debian.

How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use
TLS1.2 only, just for test purposes? TLS1.3 in libressl appears
to be brand new. Maybe its buggy.


Every helpful hint is highly appreciated
Harri



Looking at smtpd.conf(5), you should be able to put `smtp ciphers 
control` (control being the control string of allowed ciphers). The 
default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should 
be valid in removing TLSv1.3 as far as I can tell according to 
SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but 
this might be a useful starting point.




how to ignore TLS1.3 for test purposes?

2020-07-28 Thread Harald Dunkel

Hi folks,

there seems to be a compatibility issue between opensmtpd on
OpenBSD 6.7 and exim4 on Debian's bugtracker, see

https://lists.debian.org/debian-user/2020/07/msg01091.html

Most recent syspatches are applied, of course. I cannot reproduce
this problem with opensmtpd 6.7.1-p1 on Debian.

How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use
TLS1.2 only, just for test purposes? TLS1.3 in libressl appears
to be brand new. Maybe its buggy.


Every helpful hint is highly appreciated
Harri