Re: [openssl-project] FYI: [postfix & TLS1.3 problems]

2018-10-11 Thread Benjamin Kaduk
I would guess that the misbehaving clients are early openssl betas
that receive the real TLS 1.3 version and then try to interpret
as whatever draft versino they actually implemnet.

-Ben

On Thu, Oct 11, 2018 at 01:18:03PM -0400, Viktor Dukhovni wrote:
> 
> Apparently, some SMTP clients set fallback_scsv when doing TLS 1.2
> with Postfix servers using OpenSSL 1.1.1.  Not yet clear whether
> they tried TLS 1.3 first and failed, or just sent the SCSV out of
> the blue...
> 
> See attached.  If this is a common problem, it might be useful to
> have a control that tolerates "downgrade" to TLS 1.2, without
> disabling TLS 1.3 support.  In many cases, and especially opportunitistic
> security, where STARTTLS can be stripped by an MiTM entirely, so
> we often can't even prevent downgrades to cleartext, TLS 1.2 is
> quite good enough.
> 
> -- 
>   Viktor.

> Date: Thu, 11 Oct 2018 12:53:38 -0400
> From: Viktor Dukhovni 
> To: postfix-us...@postfix.org
> Subject: Re: postfix & TLS1.3 problems
> User-Agent: Mutt/1.10.1 (2018-07-13)
> 
> On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:
> 
> > today I noticed a significant amount of TLS failures in my postfix log.
> > 
> > Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from  
> > client.example[192.0.2.25]:34152: -1
> > 
> > I traced some sessions and found the problematic client is announcing  
> > the special cipher "TLS_FALLBACK_SCSV"
> > in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,  
> > my SSL library (openssl-1.1.1) assume a downgrade attack an close the  
> > connection with an SSL error message "inappropriate fallback"
> > 
> > The core issue is a client with a nonconforming TLS implementation.
> 
> Any idea what software these clients are running?  Are they at all
> likely to fix this any time soon?
> 
> > To circumvent the problem I tried to disable TLS1.3 on my server by setting
> > smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3
> > 
> > But that does not help.
> > The Client still fail an deliver the message by falling back to plain text 
> > :-/
> > 
> > The only option to force encrypted traffic again would be a library  
> > downgrade on my side.
> > Any other suggestions?
> 
> Support for OpenSSL 1.1.1 and TLS 1.3 is on the list of fixes slated
> for Postfix 3.4, and some may then be backported to patch levels
> of earlier releases.
> 
> In the meantime, try:
> 
> tls_ssl_options = 0x2000
> 
> which corresponds to SSL_OP_NO_TLSv1_3.  I am not aware of any
> method to accept the "downgrade" to TLS 1.2 without disabling TLS
> 1.3 for clients that do have correct implementations.
> 
> -- 
>   Viktor.

> ___
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


[openssl-project] FYI: [postfix & TLS1.3 problems]

2018-10-11 Thread Viktor Dukhovni

Apparently, some SMTP clients set fallback_scsv when doing TLS 1.2
with Postfix servers using OpenSSL 1.1.1.  Not yet clear whether
they tried TLS 1.3 first and failed, or just sent the SCSV out of
the blue...

See attached.  If this is a common problem, it might be useful to
have a control that tolerates "downgrade" to TLS 1.2, without
disabling TLS 1.3 support.  In many cases, and especially opportunitistic
security, where STARTTLS can be stripped by an MiTM entirely, so
we often can't even prevent downgrades to cleartext, TLS 1.2 is
quite good enough.

-- 
Viktor.
--- Begin Message ---
On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:

> today I noticed a significant amount of TLS failures in my postfix log.
> 
> Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from  
> client.example[192.0.2.25]:34152: -1
> 
> I traced some sessions and found the problematic client is announcing  
> the special cipher "TLS_FALLBACK_SCSV"
> in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,  
> my SSL library (openssl-1.1.1) assume a downgrade attack an close the  
> connection with an SSL error message "inappropriate fallback"
> 
> The core issue is a client with a nonconforming TLS implementation.

Any idea what software these clients are running?  Are they at all
likely to fix this any time soon?

> To circumvent the problem I tried to disable TLS1.3 on my server by setting
> smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3
> 
> But that does not help.
> The Client still fail an deliver the message by falling back to plain text :-/
> 
> The only option to force encrypted traffic again would be a library  
> downgrade on my side.
> Any other suggestions?

Support for OpenSSL 1.1.1 and TLS 1.3 is on the list of fixes slated
for Postfix 3.4, and some may then be backported to patch levels
of earlier releases.

In the meantime, try:

tls_ssl_options = 0x2000

which corresponds to SSL_OP_NO_TLSv1_3.  I am not aware of any
method to accept the "downgrade" to TLS 1.2 without disabling TLS
1.3 for clients that do have correct implementations.

-- 
Viktor.
--- End Message ---
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project