Re: [exim] POODLE advisory from exim-announce

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Todd Lyons
Date:  
À: elrippo
CC: exim-users
Sujet: Re: [exim] POODLE advisory from exim-announce
I'm not a TLS expert, but I wanted to clarify a few things:

On Wed, Oct 29, 2014 at 11:17 AM, elrippo <elrippo@???> wrote:
> On Mittwoch, 29. Oktober 2014, 10:27:35 Cyborg wrote:
>
> i had some time for testing, and i am sorry to tell you that this is affected from Exim4.82 on Ubuntu 14.04 with gnutls installed.
> I did some testing with the cipher priority strings, and i find it absoloutely horrifying what is going on!
> I tryed different cipher suites, and then tested with swaks.
>
> 1.) Attempt
> tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128
>
> swaks -a -tls -q HELO -s elrippoisland.net -au elrippo -ap '<>'

<snip>
> === TLS started with cipher SSLv3:RC4-SHA:128


You disabled all TLS protocols, only enabled SSLv3 protocol, and then
disabled all ciphers but RC4. The results in swaks confirmed that.

> 2.) Attempt
> tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0
>
> swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo

<snip>
> === TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256


You disabled all TLS protocols and only enabled SSLv3. Since you
didn't artificially limit the ciphers, it negotiated a much better one
than RC4.

> 3.) Attempt with defaultsetting, and without any tweaking
> swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo
> *** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
> *** STARTTLS attempted but failed


> So please tell me, we can fix this guys......


Well, when nothing is set for the tls_require_ciphers, the string
"NORMAL" is used to init the gnutls library. What protocols and
ciphers does "NORMAL" set for gnutls? I couldn't tell from
http://gnutls.org/manual/html_node/Priority-Strings.html You may want
to experiment with other predefined settings that are in that page.


...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine