[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl handshake problem with bugs.debian.org?

	Hi.

On Mon, Jul 27, 2020 at 10:43:11AM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> I've got a ssl handshake problem with bugs.debian.org on sending an EMail.
> My mta (OpenBSD 6.7, i.e. libressl) in the office says in its logfile
> 
> :
> Jul 27 10:23:39 gate5a smtpd[67056]: d4df9298d18e1596 mta tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
> Jul 27 10:23:39 gate5a smtpd[67056]: d4df9298d18e1596 mta server-cert-check result="failure"

This tells me that buxtehude does not support TLSv1.3 at all.

$ nmap -6 -p 25 -sV --script ssl-enum-ciphers buxtehude.debian.org
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-27 11:00 CEST
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 95.74% done; ETC: 11:00 (0:00:01 remaining)
Nmap scan report for buxtehude.debian.org (2607:f8f0:614:1::1274:39)
Host is up (0.15s latency).
Other addresses for buxtehude.debian.org (not scanned): 209.87.16.39

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Exim smtpd 4.92
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A


> We send a bazillion of EMails via this MTA each day. This handshake
> problem shows up only for buxtehude, AFAICT. Is there a compatibility
> issue with openssl in Debian and libressl used in OpenBSD 6.7? AFAIU
> TLS 1.3 is not in libressl yet.

Hardly. It's rather buxtehude does not announce TLSv1.3 at all, and it
may be attributed to the state of TLSv1.3 in GNUTLS (which
exim-daemon-heavy should use).

Reco
Reply to: