Am Mittwoch, 29. Oktober 2014, 14:05:53 schrieben Sie:
> I'm not a TLS expert, but I wanted to clarify a few things:
>
> On Wed, Oct 29, 2014 at 11:17 AM, elrippo <elrippo@???> wrote:
> > On Mittwoch, 29. Oktober 2014, 10:27:35 Cyborg wrote:
> >
> > i had some time for testing, and i am sorry to tell you that this is affected from Exim4.82 on Ubuntu 14.04 with gnutls installed.
> > I did some testing with the cipher priority strings, and i find it absoloutely horrifying what is going on!
> > I tryed different cipher suites, and then tested with swaks.
> >
> > 1.) Attempt
> > tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128
> >
> > swaks -a -tls -q HELO -s elrippoisland.net -au elrippo -ap '<>'
> <snip>
> > === TLS started with cipher SSLv3:RC4-SHA:128
>
> You disabled all TLS protocols, only enabled SSLv3 protocol, and then
> disabled all ciphers but RC4. The results in swaks confirmed that.
>
> > 2.) Attempt
> > tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0
> >
> > swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo
> <snip>
> > === TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256
>
> You disabled all TLS protocols and only enabled SSLv3. Since you
> didn't artificially limit the ciphers, it negotiated a much better one
> than RC4.
>
> > 3.) Attempt with defaultsetting, and without any tweaking
> > swaks -a -tls -q AUTH -s elrippoisland.net -au elrippo
> > *** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
> > *** STARTTLS attempted but failed
>
> > So please tell me, we can fix this guys......
>
> Well, when nothing is set for the tls_require_ciphers, the string
> "NORMAL" is used to init the gnutls library. What protocols and
> ciphers does "NORMAL" set for gnutls? I couldn't tell from
> http://gnutls.org/manual/html_node/Priority-Strings.html You may want
> to experiment with other predefined settings that are in that page.
>
>
> ...Todd
>
>
Hy Todd,
i know, i was trying to get a client working .
Currently i am using tls_require_ciphers = SECURE128:!VERS-SSL3.0
The funny thing is, with swaks from my desktop i get
*** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
*** STARTTLS attempted but failed
When i use the same desktop with a client software like kmail or thunderbird, i get a x=TLSv1.0 connection to exim4
On the other hand some other mail servers fall back to esmtp due to a lacking cipher suite, almost only googles mail server connects with TLSv1.2
I went through almost all possible priority_strings from gnutls, and NORMAL isn't working at all, only SECURE128:!VERS-SSL3.0 and SECURE256:!VERS-SSL3.0 are producing succesfull connections.
This is all rather confusing to me.....
I filed a report on K9-mail's site, i am not the only one :)
Thank you for your assistance guys!!!
Kind regards,
elrippo.
