Re: [exim] POODLE advisory from exim-announce

Top Page
Delete this message
Reply to this message
Author: elrippo
Date:  
To: exim-users
Subject: Re: [exim] POODLE advisory from exim-announce
On Montag, 20. Oktober 2014, 19:39:20 Phil Pennock wrote:
> On 2014-10-19 at 10:03 +0200, elrippo wrote:
> > in my logs i can see, that all clients are using TLS, but if i specify that option, exim4 "stops" taking any messages.
> > Please find enclosed the output of "exim -d --version"
>
> > Exim version 4.76 #1 built 28-Dec-2012 16:49:07
>
> This has known security issues. You're better off updating Exim to fix
> known problems than worrying about POODLE and SMTP; worry about POODLE
> _after_ you get Exim up-to-date.
>
> Your OS might have backported fixes, but that build date suggests not.
>
> > Library version: GnuTLS: Compile: 2.12.14
> >                          Runtime: 2.12.14

>
> This is older than the GnuTLS developers support, but should still
> support TLS1.0 through TLS1.2.
>
> > > > I am running exim on Ubuntu 12.04 LTS
> > > >
> > > > If i define "tls_require_ciphers = NORMAL:!VERS-SSL3.0"
> > > >
> > > > i get an error in the log and the messages are not handled...
> > > > "2014-10-18 10:07:55 TLS error on connection from (user) [151.236.xxx.xxx] (gnutls_handshake): No supported cipher suites have been found."
> > > >
> > > > Can you advise please?
> > >
> > > That client only supports SSL and doesn't support TLS?
> > >
> > > Failing that, we need version information to go on with, so please
> > > provide the output of:
> > >
> > >     exim -d --version

>
> So, how have you ruled out that this is a client limitation, with a
> client which doesn't support TLS?
>
> Which clients are you trying to use?
>
> -Phil
>
>


Hy Phil,
so now i did an upgrade of my OS, Ubuntu 14.04, and here the output from exim -d --version

---------------------------------------------------------------------------------------------------

Exim version 4.82 #2 built 25-Feb-2014 16:38:02
Copyright (c) University of Cambridge, 1995 - 2013
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2013
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.8.2]
Library version: GnuTLS: Compile: 2.12.23
                         Runtime: 2.12.23
Library version: Cyrus SASL: Compile: 2.1.25
                             Runtime: 2.1.25 [Cyrus SASL]
Library version: PCRE: Compile: 8.31
                       Runtime: 8.31 2012-07-06
Library version: MySQL: Compile: 5.5.35 [(Ubuntu)]
                        Runtime: 5.5.40
Library version: SQLite: Compile: 3.8.2
                         Runtime: 3.8.2
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
Exim version 4.82 uid=0 gid=0 pid=13369 D=fbb95cfd
changed uid/gid: forcing real = effective
  uid=0 gid=0 pid=13369
  auxiliary group list: <none>
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
changed uid/gid: calling tls_validate_require_cipher
  uid=112 gid=121 pid=13370
  auxiliary group list: <none>
tls_require_ciphers expands to "SECURE256:!VERS-SSL3.0"
tls_validate_require_cipher child 13370 ended: status=0x0
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00632001
cwd=/home/user 3 args: exim -d --version
trusted user
admin user
changed uid/gid: privilege not needed
  uid=112 gid=121 pid=13369
  auxiliary group list: 45 121 125
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root@???
Configuration file is /var/lib/exim4/config.autogenerated


---------------------------------------------------------------------------------------------------

The Only chiphers that works, is "tls_require_ciphers expands to SECURE256:!VERS-SSL3.0"
But now i am getting trouble with a client software saying, that it could not negotiate a proper chipher suite.....

"TLS error on connection from android.mywireless [192.168.xxx.xxx] (gnutls_handshake): Could not negotiate a supported cipher suite"

Thanks in advance!
elrippo