Re: ssl handshake problem with bugs.debian.org?
Reco <recoverym4n@enotuniq.net> wrote:
> On Mon, Jul 27, 2020 at 10:43:11AM +0200, Harald Dunkel wrote:
>> I've got a ssl handshake problem with bugs.debian.org on sending an EMail.
>> My mta (OpenBSD 6.7, i.e. libressl) in the office says in its logfile
>>
>> :
>> Jul 27 10:23:39 gate5a smtpd[67056]: d4df9298d18e1596 mta tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
>> Jul 27 10:23:39 gate5a smtpd[67056]: d4df9298d18e1596 mta server-cert-check result="failure"
> This tells me that buxtehude does not support TLSv1.3 at all.
> $ nmap -6 -p 25 -sV --script ssl-enum-ciphers buxtehude.debian.org
Interesting.
nmap shows the same for me, but testssl.sh does not:
,----
| Testing protocols via sockets
|
| SSLv2 not offered (OK)
| SSLv3 not offered (OK)
| TLS 1 offered (deprecated)
| TLS 1.1 offered (deprecated)
| TLS 1.2 offered (OK)
| TLS 1.3 offered (OK): final
|
| Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
| -----------------------------------------------------------------------------------------------------------------------------
| SSLv2
| -
| SSLv3
| -
| TLSv1 (no server order, thus listed by strength)
| xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
| xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
| TLSv1.1 (no server order, thus listed by strength)
| xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
| xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
| TLSv1.2 (no server order, thus listed by strength)
| xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
| xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
| xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM
| x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
| xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM
| x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
| xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM
| xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM
| x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
| x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
| TLSv1.3 (no server order, thus listed by strength)
| x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
| x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
| x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
| x1304 TLS_AES_128_CCM_SHA256 ECDH 253 AESCCM 128 TLS_AES_128_CCM_SHA256
`----
But I think the error might be here:
,----
| Common Name (CN) buxtehude.debian.org
| subjectAltName (SAN) missing -- no SAN is deprecated
| Issuer Debian SMTP CA (Debian SMTP from NA)
| Trust (hostname) via CN only -- CN only match is deprecated (same w/o SNI)
| Chain of trust NOT ok (chain incomplete)
`----
Debian uses their own CA to sign this certificate, which is fine for
SMTP, which normally only uses opportunistic encryption.
But if the client SMTP-Server is set to *verify* the certificate, it
will fail.
S!
--
Sigmentation fault. Core dumped.
Reply to: