Re: [exim] POODLE advisory from exim-announce

Góra strony
Delete this message
Reply to this message
Autor: elrippo
Data:  
Dla: exim-users
CC: Phil Pennock, Todd Lyons
Temat: Re: [exim] POODLE advisory from exim-announce
On Montag, 3. November 2014, 01:12:12 Phil Pennock wrote:
> On 2014-11-01 at 11:11 +0100, elrippo wrote:
> > I advised exim4 to use these ciphers, because nothing else is working, either writing mails nore recieving mails from other mail servers.
> >
> > tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0
> >
> >
> >
> > I sent a mail using my desktop client and my domain to google. Incomming exim4 used SSL outgoing TLS?!?!
>
> Let's go back to Tony's mail a moment here:
>
> ----------------------------8< cut here >8------------------------------
> To disable SSLv3 in Exim when compiled with GnuTLS, set the following in
> both the main options section of your configuration file (for incoming
> connection) and on your SMTP transports (for outgoing connections).
>
>         tls_require_ciphers = NORMAL:!VERS-SSL3.0
> ----------------------------8< cut here >8------------------------------

>
> It looks very much like you're only changing `tls_require_ciphers` in
> the main section of the configuration file, not on the SMTP Transport(s)
> too.
>
> -Phil
>
>


Hy Phil,
yes i know.....
I treid out to set the commands

tls_require_ciphers = NORMAL:!VERS-SSL3.0
tls_advertise_hosts = *
hosts_require_tls = *

in
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost

and
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp

after running update-exim4.conf it complains [main option "hosts_require_tls" unknown], ["tls_advertise_hosts" option set for the second time] and in

/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp [option "tls_require_ciphers" unknown]

hmmmm........

I mostly get [(gnutls_handshake): Could not negotiate a supported cipher suite.] so i checked the cipher suites with gnutls-cli -l

gnutls-cli -l
Cipher suites:
TLS_RSA_NULL_MD5                                        0x00, 0x01      SSL3.0
TLS_RSA_NULL_SHA1                                       0x00, 0x02      SSL3.0
TLS_RSA_NULL_SHA256                                     0x00, 0x3b      TLS1.0
TLS_RSA_ARCFOUR_128_SHA1                                0x00, 0x05      SSL3.0
TLS_RSA_ARCFOUR_128_MD5                                 0x00, 0x04      SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1                               0x00, 0x0a      SSL3.0
TLS_RSA_AES_128_CBC_SHA1                                0x00, 0x2f      SSL3.0
TLS_RSA_AES_256_CBC_SHA1                                0x00, 0x35      SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA256                         0x00, 0xba      TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA256                         0x00, 0xc0      TLS1.0
TLS_RSA_CAMELLIA_128_CBC_SHA1                           0x00, 0x41      TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1                           0x00, 0x84      TLS1.0
TLS_RSA_AES_128_CBC_SHA256                              0x00, 0x3c      TLS1.0
TLS_RSA_AES_256_CBC_SHA256                              0x00, 0x3d      TLS1.0
TLS_RSA_AES_128_GCM_SHA256                              0x00, 0x9c      TLS1.2
TLS_RSA_AES_256_GCM_SHA384                              0x00, 0x9d      TLS1.2
TLS_RSA_CAMELLIA_128_GCM_SHA256                         0xc0, 0x7a      TLS1.2
TLS_RSA_CAMELLIA_256_GCM_SHA384                         0xc0, 0x7b      TLS1.2
TLS_RSA_SALSA20_256_SHA1                                0xe4, 0x11      SSL3.0
TLS_RSA_SALSA20_256_UMAC96                              0xe4, 0x31      SSL3.0
TLS_RSA_ESTREAM_SALSA20_256_SHA1                        0xe4, 0x10      SSL3.0
TLS_RSA_ESTREAM_SALSA20_256_UMAC96                      0xe4, 0x30      SSL3.0
TLS_DHE_DSS_ARCFOUR_128_SHA1                            0x00, 0x66      TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1                           0x00, 0x13      SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1                            0x00, 0x32      SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1                            0x00, 0x38      SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256                     0x00, 0xbd      TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256                     0x00, 0xc3      TLS1.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                       0x00, 0x44      TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                       0x00, 0x87      TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA256                          0x00, 0x40      TLS1.0
TLS_DHE_DSS_AES_256_CBC_SHA256                          0x00, 0x6a      TLS1.0
TLS_DHE_DSS_AES_128_GCM_SHA256                          0x00, 0xa2      TLS1.2
TLS_DHE_DSS_AES_256_GCM_SHA384                          0x00, 0xa3      TLS1.2
TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256                     0xc0, 0x80      TLS1.2
TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384                     0xc0, 0x81      TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1                           0x00, 0x16      SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1                            0x00, 0x33      SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1                            0x00, 0x39      SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256                     0x00, 0xbe      TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256                     0x00, 0xc4      TLS1.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                       0x00, 0x45      TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                       0x00, 0x88      TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA256                          0x00, 0x67      TLS1.0
TLS_DHE_RSA_AES_256_CBC_SHA256                          0x00, 0x6b      TLS1.0
TLS_DHE_RSA_AES_128_GCM_SHA256                          0x00, 0x9e      TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384                          0x00, 0x9f      TLS1.2
TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256                     0xc0, 0x7c      TLS1.2
TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384                     0xc0, 0x7d      TLS1.2
TLS_ECDHE_RSA_NULL_SHA1                                 0xc0, 0x10      SSL3.0
TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1                         0xc0, 0x12      SSL3.0
TLS_ECDHE_RSA_AES_128_CBC_SHA1                          0xc0, 0x13      SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA1                          0xc0, 0x14      SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA384                        0xc0, 0x28      TLS1.0
TLS_ECDHE_RSA_ARCFOUR_128_SHA1                          0xc0, 0x11      SSL3.0
TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256                   0xc0, 0x76      TLS1.0
TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384                   0xc0, 0x77      TLS1.0
TLS_ECDHE_ECDSA_NULL_SHA1                               0xc0, 0x06      SSL3.0
TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1                       0xc0, 0x08      SSL3.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1                        0xc0, 0x09      SSL3.0
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1                        0xc0, 0x0a      SSL3.0
TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1                        0xc0, 0x07      SSL3.0
TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256                 0xc0, 0x72      TLS1.0
TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384                 0xc0, 0x73      TLS1.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256                      0xc0, 0x23      TLS1.0
TLS_ECDHE_RSA_AES_128_CBC_SHA256                        0xc0, 0x27      TLS1.0
TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256                 0xc0, 0x86      TLS1.2
TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384                 0xc0, 0x87      TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                      0xc0, 0x2b      TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                      0xc0, 0x2c      TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                        0xc0, 0x2f      TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384                        0xc0, 0x30      TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384                      0xc0, 0x24      TLS1.0
TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256                   0xc0, 0x8a      TLS1.2
TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384                   0xc0, 0x8b      TLS1.2
TLS_ECDHE_RSA_SALSA20_256_SHA1                          0xe4, 0x13      SSL3.0
TLS_ECDHE_RSA_SALSA20_256_UMAC96                        0xe4, 0x33      SSL3.0
TLS_ECDHE_ECDSA_SALSA20_256_SHA1                        0xe4, 0x15      SSL3.0
TLS_ECDHE_ECDSA_SALSA20_256_UMAC96                      0xe4, 0x35      SSL3.0
TLS_ECDHE_RSA_ESTREAM_SALSA20_256_SHA1                  0xe4, 0x12      SSL3.0
TLS_ECDHE_RSA_ESTREAM_SALSA20_256_UMAC96                0xe4, 0x32      SSL3.0
TLS_ECDHE_ECDSA_ESTREAM_SALSA20_256_SHA1                0xe4, 0x14      SSL3.0
TLS_ECDHE_ECDSA_ESTREAM_SALSA20_256_UMAC96              0xe4, 0x34      SSL3.0
TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1                         0xc0, 0x34      SSL3.0
TLS_ECDHE_PSK_AES_128_CBC_SHA1                          0xc0, 0x35      SSL3.0
TLS_ECDHE_PSK_AES_256_CBC_SHA1                          0xc0, 0x36      SSL3.0
TLS_ECDHE_PSK_AES_128_CBC_SHA256                        0xc0, 0x37      TLS1.0
TLS_ECDHE_PSK_AES_256_CBC_SHA384                        0xc0, 0x38      TLS1.0
TLS_ECDHE_PSK_ARCFOUR_128_SHA1                          0xc0, 0x33      SSL3.0
TLS_ECDHE_PSK_NULL_SHA256                               0xc0, 0x3a      TLS1.0
TLS_ECDHE_PSK_NULL_SHA384                               0xc0, 0x3b      TLS1.0
TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256                   0xc0, 0x9a      TLS1.0
TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384                   0xc0, 0x9b      TLS1.0
TLS_ECDHE_PSK_SALSA20_256_SHA1                          0xe4, 0x19      SSL3.0
TLS_ECDHE_PSK_SALSA20_256_UMAC96                        0xe4, 0x39      SSL3.0
TLS_ECDHE_PSK_ESTREAM_SALSA20_256_SHA1                  0xe4, 0x18      SSL3.0
TLS_ECDHE_PSK_ESTREAM_SALSA20_256_UMAC96                0xe4, 0x38      SSL3.0
TLS_PSK_ARCFOUR_128_SHA1                                0x00, 0x8a      TLS1.0
TLS_PSK_3DES_EDE_CBC_SHA1                               0x00, 0x8b      TLS1.0
TLS_PSK_AES_128_CBC_SHA1                                0x00, 0x8c      TLS1.0
TLS_PSK_AES_256_CBC_SHA1                                0x00, 0x8d      TLS1.0
TLS_PSK_AES_128_CBC_SHA256                              0x00, 0xae      TLS1.0
TLS_PSK_AES_256_GCM_SHA384                              0x00, 0xa9      TLS1.2
TLS_PSK_CAMELLIA_128_GCM_SHA256                         0xc0, 0x8e      TLS1.2
TLS_PSK_CAMELLIA_256_GCM_SHA384                         0xc0, 0x8f      TLS1.2
TLS_PSK_AES_128_GCM_SHA256                              0x00, 0xa8      TLS1.2
TLS_PSK_NULL_SHA256                                     0x00, 0xb0      TLS1.0
TLS_PSK_CAMELLIA_128_CBC_SHA256                         0xc0, 0x94      TLS1.0
TLS_PSK_CAMELLIA_256_CBC_SHA384                         0xc0, 0x95      TLS1.0
TLS_PSK_SALSA20_256_SHA1                                0xe4, 0x17      SSL3.0
TLS_PSK_SALSA20_256_UMAC96                              0xe4, 0x37      SSL3.0
TLS_PSK_ESTREAM_SALSA20_256_SHA1                        0xe4, 0x16      SSL3.0
TLS_PSK_ESTREAM_SALSA20_256_UMAC96                      0xe4, 0x36      SSL3.0
TLS_PSK_AES_256_CBC_SHA384                              0x00, 0xaf      TLS1.0
TLS_PSK_NULL_SHA384                                     0x00, 0xb1      TLS1.0
TLS_RSA_PSK_ARCFOUR_128_SHA1                            0x00, 0x92      TLS1.0
TLS_RSA_PSK_3DES_EDE_CBC_SHA1                           0x00, 0x93      TLS1.0
TLS_RSA_PSK_AES_128_CBC_SHA1                            0x00, 0x94      TLS1.0
TLS_RSA_PSK_AES_256_CBC_SHA1                            0x00, 0x95      TLS1.0
TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256                     0xc0, 0x92      TLS1.2
TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384                     0xc0, 0x93      TLS1.2
TLS_RSA_PSK_AES_128_GCM_SHA256                          0x00, 0xac      TLS1.2
TLS_RSA_PSK_AES_128_CBC_SHA256                          0x00, 0xb6      TLS1.0
TLS_RSA_PSK_NULL_SHA256                                 0x00, 0xb8      TLS1.0
TLS_RSA_PSK_AES_256_GCM_SHA384                          0x00, 0xad      TLS1.2
TLS_RSA_PSK_AES_256_CBC_SHA384                          0x00, 0xb7      TLS1.0
TLS_RSA_PSK_NULL_SHA384                                 0x00, 0xb9      TLS1.0
TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256                     0xc0, 0x98      TLS1.0
TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384                     0xc0, 0x99      TLS1.0
TLS_DHE_PSK_ARCFOUR_128_SHA1                            0x00, 0x8e      TLS1.0
TLS_DHE_PSK_3DES_EDE_CBC_SHA1                           0x00, 0x8f      TLS1.0
TLS_DHE_PSK_AES_128_CBC_SHA1                            0x00, 0x90      TLS1.0
TLS_DHE_PSK_AES_256_CBC_SHA1                            0x00, 0x91      TLS1.0
TLS_DHE_PSK_AES_128_CBC_SHA256                          0x00, 0xb2      TLS1.0
TLS_DHE_PSK_AES_128_GCM_SHA256                          0x00, 0xaa      TLS1.2
TLS_DHE_PSK_NULL_SHA256                                 0x00, 0xb4      TLS1.0
TLS_DHE_PSK_NULL_SHA384                                 0x00, 0xb5      TLS1.0
TLS_DHE_PSK_AES_256_CBC_SHA384                          0x00, 0xb3      TLS1.0
TLS_DHE_PSK_AES_256_GCM_SHA384                          0x00, 0xab      TLS1.2
TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256                     0xc0, 0x96      TLS1.0
TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384                     0xc0, 0x97      TLS1.0
TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256                     0xc0, 0x90      TLS1.2
TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384                     0xc0, 0x91      TLS1.2
TLS_DH_ANON_ARCFOUR_128_MD5                             0x00, 0x18      SSL3.0
TLS_DH_ANON_3DES_EDE_CBC_SHA1                           0x00, 0x1b      SSL3.0
TLS_DH_ANON_AES_128_CBC_SHA1                            0x00, 0x34      SSL3.0
TLS_DH_ANON_AES_256_CBC_SHA1                            0x00, 0x3a      SSL3.0
TLS_DH_ANON_CAMELLIA_128_CBC_SHA256                     0x00, 0xbf      TLS1.0
TLS_DH_ANON_CAMELLIA_256_CBC_SHA256                     0x00, 0xc5      TLS1.0
TLS_DH_ANON_CAMELLIA_128_CBC_SHA1                       0x00, 0x46      TLS1.0
TLS_DH_ANON_CAMELLIA_256_CBC_SHA1                       0x00, 0x89      TLS1.0
TLS_DH_ANON_AES_128_CBC_SHA256                          0x00, 0x6c      TLS1.0
TLS_DH_ANON_AES_256_CBC_SHA256                          0x00, 0x6d      TLS1.0
TLS_DH_ANON_AES_128_GCM_SHA256                          0x00, 0xa6      TLS1.2
TLS_DH_ANON_AES_256_GCM_SHA384                          0x00, 0xa7      TLS1.2
TLS_DH_ANON_CAMELLIA_128_GCM_SHA256                     0xc0, 0x84      TLS1.2
TLS_DH_ANON_CAMELLIA_256_GCM_SHA384                     0xc0, 0x85      TLS1.2
TLS_ECDH_ANON_NULL_SHA1                                 0xc0, 0x15      SSL3.0
TLS_ECDH_ANON_3DES_EDE_CBC_SHA1                         0xc0, 0x17      SSL3.0
TLS_ECDH_ANON_AES_128_CBC_SHA1                          0xc0, 0x18      SSL3.0
TLS_ECDH_ANON_AES_256_CBC_SHA1                          0xc0, 0x19      SSL3.0
TLS_ECDH_ANON_ARCFOUR_128_SHA1                          0xc0, 0x16      SSL3.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1                           0xc0, 0x1a      TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1                            0xc0, 0x1d      TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1                            0xc0, 0x20      TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1                       0xc0, 0x1c      TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1                       0xc0, 0x1b      TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1                        0xc0, 0x1f      TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1                        0xc0, 0x1e      TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1                        0xc0, 0x22      TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1                        0xc0, 0x21      TLS1.0


Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, VERS-DTLS0.9, VERS-DTLS1.0, VERS-DTLS1.2
Ciphers: AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM, AES-256-GCM, ARCFOUR-128, ESTREAM-SALSA20-256, SALSA20-256, CAMELLIA-256-CBC, CAMELLIA-192-CBC, CAMELLIA-128-CBC, CAMELLIA-128-GCM, CAMELLIA-256-GCM, 3DES-CBC, DES-CBC, ARCFOUR-40, RC2-40
MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD
Key exchange algorithms: ANON-DH, ANON-ECDH, RSA, DHE-RSA, DHE-DSS, ECDHE-RSA, ECDHE-ECDSA, SRP-DSS, SRP-RSA, SRP, PSK, RSA-PSK, DHE-PSK, ECDHE-PSK
Compression: COMP-DEFLATE, COMP-NULL
Elliptic curves: CURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1
Public Key Systems: RSA, DSA, EC
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2, SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512


So know tell me please, where can i set these cipher suites for the whole system!

Kind regards,
elrippo.