Re: [exim] POODLE advisory from exim-announce

Startseite
Nachricht löschen
Nachricht beantworten
Autor: elrippo
Datum:  
To: exim-users
Betreff: Re: [exim] POODLE advisory from exim-announce
On Mittwoch, 29. Oktober 2014, 10:27:35 Cyborg wrote:
> Am 29.10.2014 um 07:48 schrieb Elrippo:
> > Hy Phil,
> > actually the Android device runs on CyanogenMod M11 with Android 4.4.4 and K9 5.001.
> > The latest release notes from K9 stated the support for TLS and with Exim4 from Ubuntu 12.04 the connections were made with TLS, as i could see in the logs.
> > Since yesterdays upgrade to Ubuntu 14.04 with Exim 4.82 I can't connect with this specific client.
> >
> > Changing chipers to NORMAL or NONE didn't help.
>
> NONE would imply, that none are used, thats the oppusite of what you
> wanted ( i assume ) : ALL .
>
> Marius
>
>
>

Hy guys,

i had some time for testing, and i am sorry to tell you that this is affected from Exim4.82 on Ubuntu 14.04 with gnutls installed.

I did some testing with the cipher priority strings, and i find it absoloutely horrifying what is going on!
I tryed different cipher suites, and then tested with swaks.

1.) Attempt

tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128

swaks -a -tls -q HELO -s elrippoisland.net -au elrippo -ap '<>'
=== Trying elrippoisland.net:25...
=== Connected to elrippoisland.net.
<- 220 server500gb.chello.at ESMTP Exim 4.82 Ubuntu Wed, 29 Oct 2014 18:22:57 +0100
-> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<- 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher SSLv3:RC4-SHA:128
=== TLS no local certificate set
=== TLS peer DN="/CN=elrippoisland.net"
~> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<~ 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
<~ 250 HELP
~> QUIT
<~ 221 server500gb.chello.at closing connection
=== Connection closed with remote host.

swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo
Password: xxxxxxxxxxxxxx
=== Trying elrippoisland.net:25...
=== Connected to elrippoisland.net.
<- 220 server500gb.chello.at ESMTP Exim 4.82 Ubuntu Wed, 29 Oct 2014 18:23:14 +0100
-> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<- 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher SSLv3:RC4-SHA:128
=== TLS no local certificate set
=== TLS peer DN="/CN=elrippoisland.net"
~> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<~ 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
<~ 250 HELP
~> AUTH LOGIN
<~ 334 VXNlcm5hbWU6
~> ZWxyaXBwbw==
<~ 334 UGFzc3dvcmQ6
~> RGVyX01hbm5fb2huZV9TY2hhdHRlbg==
<~ 235 Authentication succeeded
~> QUIT
<~ 221 server500gb.chello.at closing connection
=== Connection closed with remote host.



2.) Attempt

tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0

swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo
Password: xxxxxxxxxxxxxx
=== Trying elrippoisland.net:25...
=== Connected to elrippoisland.net.
<- 220 server500gb.chello.at ESMTP Exim 4.82 Ubuntu Wed, 29 Oct 2014 18:31:05 +0100
-> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<- 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256
=== TLS no local certificate set
=== TLS peer DN="/CN=elrippoisland.net"
~> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<~ 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
<~ 250 HELP
~> AUTH LOGIN
<~ 334 VXNlcm5hbWU6
~> ZWxyaXBwbw==
<~ 334 UGFzc3dvcmQ6
~> RGVyX01hbm5fb2huZV9TY2hhdHRlbg==
<~ 235 Authentication succeeded
~> QUIT
<~ 221 server500gb.chello.at closing connection
=== Connection closed with remote host.

swaks -a -tls -q HELO -s elrippoisland.net -au elrippo -ap '<>'
=== Trying elrippoisland.net:25...
=== Connected to elrippoisland.net.
<- 220 server500gb.chello.at ESMTP Exim 4.82 Ubuntu Wed, 29 Oct 2014 18:31:53 +0100
-> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<- 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256
=== TLS no local certificate set
=== TLS peer DN="/CN=elrippoisland.net"
~> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<~ 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
<~ 250 HELP
~> QUIT
<~ 221 server500gb.chello.at closing connection
=== Connection closed with remote host.

With this setup my logs look like this

elrippo@??? H=elrippos-sony-xperia-z1-compact.mywireless.elrippoisland.net [192.168.3.218] P=esmtpsa X=SSL3.0:DHE_RSA_AES_256_CBC_SHA1:256 A=plain_saslauthd_server:elrippo S=6075 id=888FE0B1-0CAB-4375-99A4-17BAC79E294A@???



3.) Attempt with defaultsetting, and without any tweaking

EXIM4 reports -> TLS error on connection from workstation.elrippoisland.net (zwergal-HP-Pavilion-g6-Notebook-PC) [192.168.2.35] (gnutls_handshake): Could not negotiate a supported cipher suite

swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo
Password: XXXXXXXXXXXXXXXXXXXXXXX
=== Trying elrippoisland.net:25...
=== Connected to elrippoisland.net.
<- 220 server500gb.chello.at ESMTP Exim 4.82 Ubuntu Wed, 29 Oct 2014 18:42:45 +0100
-> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<- 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
*** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
*** STARTTLS attempted but failed

:~$ swaks -a -tls -q HELO -s elrippoisland.net -au elrippo -ap '<>'
=== Trying elrippoisland.net:25...
=== Connected to elrippoisland.net.
<- 220 server500gb.chello.at ESMTP Exim 4.82 Ubuntu Wed, 29 Oct 2014 18:42:51 +0100
-> EHLO zwergal-HP-Pavilion-g6-Notebook-PC
<- 250-server500gb.chello.at Hello workstation.elrippoisland.net [192.168.2.35]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
*** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
*** STARTTLS attempted but failed


Before upgrading Ubuntu 12.04 to 14.04 my logs locked like this
elrippo@??? H=workstation.elrippoisland.net (zwergal-hp-pavilion-g6-notebook-pc.localnet) [192.168.2.35] P=esmtpsa X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256 A=login_saslauthd_server:elrippo S=13101 id=2139141.gh9cNJuBuK@zwergal-hp-pavilion-g6-notebook-pc



So please tell me, we can fix this guys......

Kind regards,
elrippo