Re: [exim] Exim 4.82 OpenSSL-1.0.1e and Microsoft Exchange 6…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Tony Finch
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Exim 4.82 OpenSSL-1.0.1e and Microsoft Exchange 6.0.3790
I have done some experiments with an OpenSSL-1.0.2 snapshot which has a
handy -trace option to s_client so you can see more about what is going
on.

It seems that these problem servers have seriously deficient cipher
suites. For bulk crypto they seem to support only DES and RC4, and DES is
broken - see below for an exmaple. The key difference between TLS version
1.2 and lower versions is that OpenSSL sends a much longer cipher suite
which causes the broken servers to pick 3DES instead of RC4.

In the following note the WTF record from the server that arrives just
after the EHLO capability list.

$ /opt/OpenSSL-1.0.2-stable-SNAP-20131112.tar.gz+0/bin/openssl s_client \
-tls1 -cipher DES -trace -crlf -starttls smtp -connect mail.stratton.beds.sch.uk:25
[...]
SSL handshake has read 4007 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC-SHA
    Session-ID: F31E0000C223D3B1FD847AC684E99D198947CF506659F1981FF69D18BA773A9F
    Session-ID-ctx:
    Master-Key: 6B43FFE22010D6495C1E3BD588CC1B306DF4E2345B45355294637E7D5DF5FBBAF233D7028A6B38727B6A69B16D631BD6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1384282116
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
ehlo ppsw-41
Sent Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = ApplicationData (23)
  Length = 24
Sent Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = ApplicationData (23)
  Length = 40
Received Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = ApplicationData (23)
  Length = 344
250-strats05.stratton.beds.sch.uk Hello [131.111.8.141]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
Received Record
Header:
  Version = UNKNOWN (0x3039)
  Content Type = UNKNOWN (50)
  Length = 12854
Sent Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = Alert (21)
  Length = 24
    Level=fatal(2), description=protocol version(70)


140510746306216:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:339:
Sent Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = Alert (21)
  Length = 24
    Level=warning(1), description=close notify(0)


Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}