On Montag, 3. November 2014, 01:12:12 Phil Pennock wrote:
> On 2014-11-01 at 11:11 +0100, elrippo wrote:
> > I advised exim4 to use these ciphers, because nothing else is working, either writing mails nore recieving mails from other mail servers.
> >
> > tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0
> >
> >
> >
> > I sent a mail using my desktop client and my domain to google. Incomming exim4 used SSL outgoing TLS?!?!
>
> Let's go back to Tony's mail a moment here:
>
> ----------------------------8< cut here >8------------------------------
> To disable SSLv3 in Exim when compiled with GnuTLS, set the following in
> both the main options section of your configuration file (for incoming
> connection) and on your SMTP transports (for outgoing connections).
>
> tls_require_ciphers = NORMAL:!VERS-SSL3.0
> ----------------------------8< cut here >8------------------------------
>
> It looks very much like you're only changing `tls_require_ciphers` in
> the main section of the configuration file, not on the SMTP Transport(s)
> too.
>
> -Phil
>
>
Hy Phil,
yes i know.....
I treid out to set the commands
tls_require_ciphers = NORMAL:!VERS-SSL3.0
tls_advertise_hosts = *
hosts_require_tls = *
in
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
and
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp
after running update-exim4.conf it complains [main option "hosts_require_tls" unknown], ["tls_advertise_hosts" option set for the second time] and in
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp [option "tls_require_ciphers" unknown]
hmmmm........
I mostly get [(gnutls_handshake): Could not negotiate a supported cipher suite.] so i checked the cipher suites with gnutls-cli -l
gnutls-cli -l
Cipher suites:
TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0
TLS_RSA_NULL_SHA1 0x00, 0x02 SSL3.0
TLS_RSA_NULL_SHA256 0x00, 0x3b TLS1.0
TLS_RSA_ARCFOUR_128_SHA1 0x00, 0x05 SSL3.0
TLS_RSA_ARCFOUR_128_MD5 0x00, 0x04 SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA256 0x00, 0xba TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA256 0x00, 0xc0 TLS1.0
TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.0
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.0
TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
TLS_RSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x7a TLS1.2
TLS_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7b TLS1.2
TLS_RSA_SALSA20_256_SHA1 0xe4, 0x11 SSL3.0
TLS_RSA_SALSA20_256_UMAC96 0xe4, 0x31 SSL3.0
TLS_RSA_ESTREAM_SALSA20_256_SHA1 0xe4, 0x10 SSL3.0
TLS_RSA_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x30 SSL3.0
TLS_DHE_DSS_ARCFOUR_128_SHA1 0x00, 0x66 TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256 0x00, 0xbd TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256 0x00, 0xc3 TLS1.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.0
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.0
TLS_DHE_DSS_AES_128_GCM_SHA256 0x00, 0xa2 TLS1.2
TLS_DHE_DSS_AES_256_GCM_SHA384 0x00, 0xa3 TLS1.2
TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256 0xc0, 0x80 TLS1.2
TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384 0xc0, 0x81 TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 0x00, 0xbe TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 0x00, 0xc4 TLS1.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.0
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.0
TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x7c TLS1.2
TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7d TLS1.2
TLS_ECDHE_RSA_NULL_SHA1 0xc0, 0x10 SSL3.0
TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x12 SSL3.0
TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA384 0xc0, 0x28 TLS1.0
TLS_ECDHE_RSA_ARCFOUR_128_SHA1 0xc0, 0x11 SSL3.0
TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 0xc0, 0x76 TLS1.0
TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 0xc0, 0x77 TLS1.0
TLS_ECDHE_ECDSA_NULL_SHA1 0xc0, 0x06 SSL3.0
TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 0xc0, 0x08 SSL3.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 SSL3.0
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a SSL3.0
TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1 0xc0, 0x07 SSL3.0
TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 0xc0, 0x72 TLS1.0
TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 0xc0, 0x73 TLS1.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 0xc0, 0x23 TLS1.0
TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27 TLS1.0
TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x86 TLS1.2
TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x87 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.0
TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x8a TLS1.2
TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x8b TLS1.2
TLS_ECDHE_RSA_SALSA20_256_SHA1 0xe4, 0x13 SSL3.0
TLS_ECDHE_RSA_SALSA20_256_UMAC96 0xe4, 0x33 SSL3.0
TLS_ECDHE_ECDSA_SALSA20_256_SHA1 0xe4, 0x15 SSL3.0
TLS_ECDHE_ECDSA_SALSA20_256_UMAC96 0xe4, 0x35 SSL3.0
TLS_ECDHE_RSA_ESTREAM_SALSA20_256_SHA1 0xe4, 0x12 SSL3.0
TLS_ECDHE_RSA_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x32 SSL3.0
TLS_ECDHE_ECDSA_ESTREAM_SALSA20_256_SHA1 0xe4, 0x14 SSL3.0
TLS_ECDHE_ECDSA_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x34 SSL3.0
TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1 0xc0, 0x34 SSL3.0
TLS_ECDHE_PSK_AES_128_CBC_SHA1 0xc0, 0x35 SSL3.0
TLS_ECDHE_PSK_AES_256_CBC_SHA1 0xc0, 0x36 SSL3.0
TLS_ECDHE_PSK_AES_128_CBC_SHA256 0xc0, 0x37 TLS1.0
TLS_ECDHE_PSK_AES_256_CBC_SHA384 0xc0, 0x38 TLS1.0
TLS_ECDHE_PSK_ARCFOUR_128_SHA1 0xc0, 0x33 SSL3.0
TLS_ECDHE_PSK_NULL_SHA256 0xc0, 0x3a TLS1.0
TLS_ECDHE_PSK_NULL_SHA384 0xc0, 0x3b TLS1.0
TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x9a TLS1.0
TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x9b TLS1.0
TLS_ECDHE_PSK_SALSA20_256_SHA1 0xe4, 0x19 SSL3.0
TLS_ECDHE_PSK_SALSA20_256_UMAC96 0xe4, 0x39 SSL3.0
TLS_ECDHE_PSK_ESTREAM_SALSA20_256_SHA1 0xe4, 0x18 SSL3.0
TLS_ECDHE_PSK_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x38 SSL3.0
TLS_PSK_ARCFOUR_128_SHA1 0x00, 0x8a TLS1.0
TLS_PSK_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0
TLS_PSK_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0
TLS_PSK_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0
TLS_PSK_AES_128_CBC_SHA256 0x00, 0xae TLS1.0
TLS_PSK_AES_256_GCM_SHA384 0x00, 0xa9 TLS1.2
TLS_PSK_CAMELLIA_128_GCM_SHA256 0xc0, 0x8e TLS1.2
TLS_PSK_CAMELLIA_256_GCM_SHA384 0xc0, 0x8f TLS1.2
TLS_PSK_AES_128_GCM_SHA256 0x00, 0xa8 TLS1.2
TLS_PSK_NULL_SHA256 0x00, 0xb0 TLS1.0
TLS_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x94 TLS1.0
TLS_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x95 TLS1.0
TLS_PSK_SALSA20_256_SHA1 0xe4, 0x17 SSL3.0
TLS_PSK_SALSA20_256_UMAC96 0xe4, 0x37 SSL3.0
TLS_PSK_ESTREAM_SALSA20_256_SHA1 0xe4, 0x16 SSL3.0
TLS_PSK_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x36 SSL3.0
TLS_PSK_AES_256_CBC_SHA384 0x00, 0xaf TLS1.0
TLS_PSK_NULL_SHA384 0x00, 0xb1 TLS1.0
TLS_RSA_PSK_ARCFOUR_128_SHA1 0x00, 0x92 TLS1.0
TLS_RSA_PSK_3DES_EDE_CBC_SHA1 0x00, 0x93 TLS1.0
TLS_RSA_PSK_AES_128_CBC_SHA1 0x00, 0x94 TLS1.0
TLS_RSA_PSK_AES_256_CBC_SHA1 0x00, 0x95 TLS1.0
TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256 0xc0, 0x92 TLS1.2
TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384 0xc0, 0x93 TLS1.2
TLS_RSA_PSK_AES_128_GCM_SHA256 0x00, 0xac TLS1.2
TLS_RSA_PSK_AES_128_CBC_SHA256 0x00, 0xb6 TLS1.0
TLS_RSA_PSK_NULL_SHA256 0x00, 0xb8 TLS1.0
TLS_RSA_PSK_AES_256_GCM_SHA384 0x00, 0xad TLS1.2
TLS_RSA_PSK_AES_256_CBC_SHA384 0x00, 0xb7 TLS1.0
TLS_RSA_PSK_NULL_SHA384 0x00, 0xb9 TLS1.0
TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x98 TLS1.0
TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x99 TLS1.0
TLS_DHE_PSK_ARCFOUR_128_SHA1 0x00, 0x8e TLS1.0
TLS_DHE_PSK_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0
TLS_DHE_PSK_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0
TLS_DHE_PSK_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0
TLS_DHE_PSK_AES_128_CBC_SHA256 0x00, 0xb2 TLS1.0
TLS_DHE_PSK_AES_128_GCM_SHA256 0x00, 0xaa TLS1.2
TLS_DHE_PSK_NULL_SHA256 0x00, 0xb4 TLS1.0
TLS_DHE_PSK_NULL_SHA384 0x00, 0xb5 TLS1.0
TLS_DHE_PSK_AES_256_CBC_SHA384 0x00, 0xb3 TLS1.0
TLS_DHE_PSK_AES_256_GCM_SHA384 0x00, 0xab TLS1.2
TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x96 TLS1.0
TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x97 TLS1.0
TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256 0xc0, 0x90 TLS1.2
TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384 0xc0, 0x91 TLS1.2
TLS_DH_ANON_ARCFOUR_128_MD5 0x00, 0x18 SSL3.0
TLS_DH_ANON_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0
TLS_DH_ANON_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0
TLS_DH_ANON_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0
TLS_DH_ANON_CAMELLIA_128_CBC_SHA256 0x00, 0xbf TLS1.0
TLS_DH_ANON_CAMELLIA_256_CBC_SHA256 0x00, 0xc5 TLS1.0
TLS_DH_ANON_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0
TLS_DH_ANON_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0
TLS_DH_ANON_AES_128_CBC_SHA256 0x00, 0x6c TLS1.0
TLS_DH_ANON_AES_256_CBC_SHA256 0x00, 0x6d TLS1.0
TLS_DH_ANON_AES_128_GCM_SHA256 0x00, 0xa6 TLS1.2
TLS_DH_ANON_AES_256_GCM_SHA384 0x00, 0xa7 TLS1.2
TLS_DH_ANON_CAMELLIA_128_GCM_SHA256 0xc0, 0x84 TLS1.2
TLS_DH_ANON_CAMELLIA_256_GCM_SHA384 0xc0, 0x85 TLS1.2
TLS_ECDH_ANON_NULL_SHA1 0xc0, 0x15 SSL3.0
TLS_ECDH_ANON_3DES_EDE_CBC_SHA1 0xc0, 0x17 SSL3.0
TLS_ECDH_ANON_AES_128_CBC_SHA1 0xc0, 0x18 SSL3.0
TLS_ECDH_ANON_AES_256_CBC_SHA1 0xc0, 0x19 SSL3.0
TLS_ECDH_ANON_ARCFOUR_128_SHA1 0xc0, 0x16 SSL3.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0
Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, VERS-DTLS0.9, VERS-DTLS1.0, VERS-DTLS1.2
Ciphers: AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM, AES-256-GCM, ARCFOUR-128, ESTREAM-SALSA20-256, SALSA20-256, CAMELLIA-256-CBC, CAMELLIA-192-CBC, CAMELLIA-128-CBC, CAMELLIA-128-GCM, CAMELLIA-256-GCM, 3DES-CBC, DES-CBC, ARCFOUR-40, RC2-40
MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD
Key exchange algorithms: ANON-DH, ANON-ECDH, RSA, DHE-RSA, DHE-DSS, ECDHE-RSA, ECDHE-ECDSA, SRP-DSS, SRP-RSA, SRP, PSK, RSA-PSK, DHE-PSK, ECDHE-PSK
Compression: COMP-DEFLATE, COMP-NULL
Elliptic curves: CURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1
Public Key Systems: RSA, DSA, EC
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2, SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512
So know tell me please, where can i set these cipher suites for the whole system!
Kind regards,
elrippo.
