Re: [exim] TLS problems of late

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Warren Baker
CC: exim-users
Subject: Re: [exim] TLS problems of late
On 2013-02-25 at 10:42 +0200, Warren Baker wrote:
> Any other ideas?


Note that +all is "SSL_OP_ALL" from SSL_CTX_set_options and is *not*
"all options", but "all of a subset of options deemed safe".

You reported:
10:34:24 79951 openssl option, adding from 1000000: 80000bff (all)
10:34:24 79951 setting SSL CTX options: 0x81000bff

The values can be seen in <openssl/ssl.h> and are mostly stable across
versions. (Not entirely, alas).

So that shows us that SSL_OP_NO_SSLv2 was enabled by default, that
SSL_OP_LEGACY_SERVER_CONNECT was *not* already set, despite the
documentation (*sigh*) but that it was set by SSL_OP_ALL (again, despite
the documentation). Clearly, the manpage SSL_CTX_set_options(3) is
dangerously unsafe to rely upon.

So you've ended up with these options set:
  #define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x00000001L
  #define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x00000002L
  #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
  #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
  #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
  #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
  #define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x00000040L
  #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x00000080L
  #define SSL_OP_TLS_D5_BUG                               0x00000100L
  #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
  #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L
  #define SSL_OP_NO_SSLv2                                 0x01000000L
  #define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     0x80000000L


That leaves these:
  (four DTLS options in mask 0x0000F000L)
  #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
  #define SSL_OP_NO_COMPRESSION                           0x00020000L
  #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000L
  #define SSL_OP_SINGLE_ECDH_USE                          0x00080000L
  #define SSL_OP_SINGLE_DH_USE                            0x00100000L
  #define SSL_OP_EPHEMERAL_RSA                            0x00200000L
  #define SSL_OP_CIPHER_SERVER_PREFERENCE                 0x00400000L
  #define SSL_OP_TLS_ROLLBACK_BUG                         0x00800000L
  #define SSL_OP_NO_SSLv3                                 0x02000000L
  #define SSL_OP_NO_TLSv1                                 0x04000000L
  #define SSL_OP_NO_TLSv1_2                               0x08000000L
  #define SSL_OP_NO_TLSv1_1                               0x10000000L
  #define SSL_OP_NETSCAPE_CA_DN_BUG                       0x20000000L
  #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L


Try adding in +no_tlsv1_1 and +no_tlsv1_2 -- if this fixes it, then it
looks like MS bugs around the use of TLS1.1/TLS1.2.

OpenSSL 1.0.1 series a-c had a bug in renegotiation, fixed from d
onwards, which led them to use the wrong version number in
renegotiation. You said you're on 1.0.1e, so the issue is fixed there,
but perhaps there's something similar going on in MS's TLS stack.

If this really is not encountered with GnuTLS though, then it's
something else, since GnuTLS has supported TLS1.1/1.2 for longer than
OpenSSL.

-Phil