Re: [exim] TLSv1.1, TLSv1.2

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Lena
Datum:  
To: Phil Pennock
CC: exim-users
Betreff: Re: [exim] TLSv1.1, TLSv1.2
> From: Phil Pennock

> > After upgrade to openssl 1.0.1, my Perl script
> > was unable to connect as a client to a web server (https),
> > I had to downgrade openssl to 1.0.0h on that machine (it runs Exim too).
>
> Can you identify why this failed?


I don't know how. I can test-run the script on my home machine
(also with FreeBSD and openssl from ports) with openssl 1.0.1a,
the diagnostics:

-----

URL of GET request:
https://ssl.aukro.ua/enter_login.php?session=YTlmNVoACQYECQJQDgcEAABfUFYPVlUFVw9XBFtUBABVWgcFClBWVVRYXgIJB1MAVwEEVwlVOWUwYw%3D%3D&global_login_hash=1ea66362eccc3057361e97716c31776f60fbf61a&session_login_hash=0b6adff48a1777772f767d6b34050b647a675917&url=MzhkNQ4VFUYJF0tUEwoTWR1NBRoLGABVUFcRWxJOB1NWXAZUBQoSGUFZEFwIBk9GW0hmYWE2&cod=OGZkZlVlNmJk&version=A

Response:
500 Can't connect to ssl.aukro.ua:443
Content-Type: text/plain
Client-Date: Sat, 28 Apr 2012 05:04:04 GMT
Client-Warning: Internal response

Can't connect to ssl.aukro.ua:443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:00000000:lib(0):func(0):reason(0) at /usr/local/lib/perl5/site_perl/5.14.2/LWP/Protocol/http.pm line 51.

-----

No problem doing the same (log in to that website) with freshly-compiled
Firefox 12 on the same home machine with openssl 1.0.1a. No firewall.

The script is unrelated to Exim except that it's designed to run (hourly)
on the same server as Exim and shares openssl version with Exim.
So, for now Exim on my server uses openssl 1.0.0h
and cannot encounter the problem with hotmail mentioned by Postfix people:

> > Is the following (from Postfix 2.9.2 release notes) relevant to Exim?
> >
> > | This release adds support to turn off the TLSv1.1 and TLSv1.2
> > | protocols. Introduced with OpenSSL version 1.0.1, these are known
> > | to cause inter-operability problems with for example hotmail.


> > |     example.com         may protocols=!SSLv2:!TLSv1.1:!TLSv1.2


I don't know yet how to tell Perl modules LWP::Simple, LWP::UserAgent
(libwww-perl) to not use TLS1.1+.

> TLS protocol negotiation should be
> robust to this sort of thing, shouldn't it?


It should, but something went wrong.

> Or did the SSLv3-compatible
> hack for TLS1.0 not get carried forward, so that you can only negotiate
> TLS1.1+ if you're not also requesting SSLv3?


I don't understand.