Thanks, Michael.
El 30/11/16 a las 06:03, Michael Menge via Info-cyrus escribió: > Hi, > > > Quoting Infraestructura TIC - UNNOBA via Info-cyrus > <info-cyrus@lists.andrew.cmu.edu>: > >> Hello! >> I'm using cyrus on Debian vm for several years but now, SSL starts to >> fail: >> >> Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading >> hard-coded DH parameters >> Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation >> failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10] >> >> I tried with self-signed certificates, and third-party ones, but the >> result is the same. >> I spent two days trying to figure out what happened, without results. >> >> #openssl s_client -connect mail.server.test:993 -crlf -state >> CONNECTED(00000003) >> SSL_connect:before SSL initialization >> SSL_connect:SSLv3/TLS write client hello >> SSL3 alert read:fatal:handshake failure >> SSL_connect:error in SSLv3/TLS write client hello >> 140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3 >> alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number >> 40 >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 176 bytes >> Verification: OK >> --- >> New, (NONE), Cipher is (NONE) > > I believe the server and client have no SSL/TLS version and/or Cipher > in common and > therefore can't establish an encrypted connection. > > Some time ago i found an ssl server test suite > https://github.com/drwetter/testssl.sh > witch tries to do what https://www.ssllabs.com/ does for web servers > but for all protocols > and server not reachable form the internet. > > You might want to check your server with ./testssl.sh > mail.server.test:993 > I tried with testssl.sh and sslscan and both tools informed that TLS was not working on Cyrus. " TLS renegotiation: Secure session renegotiation supported" and " Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered *TLS 1.2 not offered* SPDY/NPN (SPDY is an HTTP protocol and thus not tested here) HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested here) " I solved it by specifying ciphers in this way (in /etc/imapd.conf): tls_ciphers: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA instead of tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH And now, TLS 1.2 is working. Thanks! > >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : 0000 >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1480435442 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> --- >> >> >> I'm using this versions: >> >> cyrus-admin 2.5.10-2 >> cyrus-clients 2.5.10-2 >> cyrus-common 2.5.10-2 >> cyrus-doc 2.5.10-2 >> cyrus-imapd 2.5.10-2 >> cyrus-murder 2.5.10-2 >> cyrus-pop3d 2.5.10-2 >> cyrus-replication 2.5.10-2 >> >> >> >> Both, certificate and key, are accesibles by user cyrus. Certificate is >> up-to-date. >> >> This is the config: >> >> $sudo -u cyrus /usr/lib/cyrus/bin/cyr_info conf >> [...] >> tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH >> tls_client_ca_dir: /etc/ssl/certs >> tls_client_ca_file: /etc/ssl/certs/cyrus.pem >> tls_server_cert: /etc/ssl/certs/cyrus.pem >> tls_server_key: /etc/ssl/private/cyrus.key >> tls_session_timeout: 0 >> [...] >> >> >> And before I declared myself "I'm completely lost", I was watching >> entropy ... but is ok. >> >> #cat /proc/sys/kernel/random/entropy_avail >> 2354 >> >> >> >> ¿Any suggestions? >> >> Thanks in advance! >> >> >> >> Javier.- >> >> >> ---- >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > > -------------------------------------------------------------------------------- > > M.Menge Tel.: (49) 7071/29-70316 > Universität Tübingen Fax.: (49) 7071/29-5912 > Zentrum für Datenverarbeitung mail: > michael.me...@zdv.uni-tuebingen.de > Wächterstraße 76 > 72074 Tübingen > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus