Print Page | Close Window

Disable TLS1_0 and SSLv3

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7111
Printed Date: 27 December 2024 at 3:03am


Topic: Disable TLS1_0 and SSLv3
Posted By: ois
Subject: Disable TLS1_0 and SSLv3
Date Posted: 20 April 2015 at 11:42am
Hi,
I've tried to disable TLS1_0 with the option DisableTLSv1_0=1
It doesn't work.

I checked it with:
openssl s_client -connect smtp.obx.de:465 -tls1

It is a big issue! I've very big trouble with the goverment.
I have to stop TLS1_0 and SSLv3 and also fix the Forward Secrecy.

I hope you can give us some help, tnx.

Regards, Fritz




Replies:
Posted By: LogSat
Date Posted: 20 April 2015 at 4:36pm
ois,

Had you restarted SpamFilter after making the change in the SpamFilter.ini file? I just checked your server, and TLSv1.0 is currently disabled. If we attempt a connection with TLS1.0 using the command you reported, you will see that there is no certificate exchange occurring, and that the s_client is unable to actually establish a connection and complete the SSL handshake - as you can see below in fact you never receive SpamFilter's welcome banner - the connection is terminated:

openssl s_client -connect smtp.obx.de:465 -tls1
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1429561411
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---


If you instead try issuing the same command without the -tls1 option, thus allowing the use of higher ciphers, you will see the certificates exchanged, the TLSv1.2 protocol being used, and the SSL handshake completes successfully as s_client will display SpamFilter's welcome banner (in green below):


openssl s_client -connect smtp.obx.de:465
CONNECTED(00000003)
depth=0 C = DE, ST = BY, L = Strasskirchen, O = OIS eK, OU = Div. Internet, CN = smtp.obx.de, emailAddress = webmaster@obx.de
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = BY, L = Strasskirchen, O = OIS eK, OU = Div. Internet, CN = smtp.obx.de, emailAddress = webmaster@obx.de
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de
   i:/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIJAN9PnJx6gUD3MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJERTELMAkGA1UECAwCQlkxFjAUBgNVBAcMDVN0cmFzc2tpcmNoZW4xDzAN
BgNVBAoMBk9JUyBlSzEWMBQGA1UECwwNRGl2LiBJbnRlcm5ldDEUMBIGA1UEAwwL
c210cC5vYnguZGUxHzAdBgkqhkiG9w0BCQEWEHdlYm1hc3RlckBvYnguZGUwHhcN
MTQwOTE3MTQ0NjQzWhcNMjQwOTE0MTQ0NjQzWjCBkjELMAkGA1UEBhMCREUxCzAJ
BgNVBAgMAkJZMRYwFAYDVQQHDA1TdHJhc3NraXJjaGVuMQ8wDQYDVQQKDAZPSVMg
ZUsxFjAUBgNVBAsMDURpdi4gSW50ZXJuZXQxFDASBgNVBAMMC3NtdHAub2J4LmRl
MR8wHQYJKoZIhvcNAQkBFhB3ZWJtYXN0ZXJAb2J4LmRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA2zcLbYN9rcH8xRtQWK8Ng+I6Ay0UadRtd5whYKKs
etbzLhhKssgoxzzO3BZWiApVpERGuyrAhx+6HzxuHVSvZaQUhKPjR3TDDu1bSoPv
ZkAvb/USZDOdJd5X/pIjRgqa206xMW0jwIYGZLXkPv0N16KTqv9XfsUTE2KP9qJH
7vhNq3lsmRl1mRaLNUgbXu/4uxFTJ0j2y4qyAS9I+DbhjUTHb9szkU01FV+eu2OT
YuoYveilzA4bzvJZbkZEM62TN5M4mxuu42UG7Qz7fUcR1Uy67wd9RCxe0nTDebBU
3oLd3d3M/DQxkBC/fQsmKqWofvixbbijGwt4USn3z5/eSQIDAQABo1AwTjAdBgNV
HQ4EFgQUy0YZQB3QpWpun6F/k0tpP+s3a+wwHwYDVR0jBBgwFoAUy0YZQB3QpWpu
n6F/k0tpP+s3a+wwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAWFfK
4X41itAFNx0USBe3yuejMveY9F15D0vP+YR0RFhq7UuOqBbyerN6iWLzj5YyDerR
CjIZuD9q55C3RdOUKZX4zLZJ+hWBlQSMcCzmj/nrCmsBqD6ihu57Be2/c4U1TOB3
g5MwEaw6t3e9V9C7g9LcwiEu1U75uPbulodYOIrRicHiC4c0AZPG7JdJOkjjxv8x
4wEBghnFc6HJCtsI+tPn3N8h3lFgoFQ5ErTo4M35ZLJreXmwW+loy8Ra/GjKAH7L
6HwAfpTAD2CLhxFE1fPEZavAAX376vCM4D7plHqU89D61g4ptmhZAKGzF8DOCi2d
y6No+fkEsLqfi9MMmg==
-----END CERTIFICATE-----
subject=/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de
issuer=/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de
---
No client certificate CA names sent
---
SSL handshake has read 1334 bytes and written 640 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 97B56087C52E63BD1EAC6B09831F9C55417D6695A110091DDD94D1B318987D82
    Session-ID-ctx:
    Master-Key: 01D6B78695DE51BCA4D90FAC0A7FC89765671FDBFE82AF71152616B595A3428C3FFA8CA28BFFAA3E97866976F20AB0CD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a4 93 80 51 48 32 e5 ad-eb c9 6e d6 7d 4d 36 b0   ...QH2....n.}M6.
    0010 - f5 0a 80 3d 1f 74 c9 46-dd c4 0e a4 21 d7 13 48   ...=.t.F....!..H
    0020 - d2 68 62 32 fc 14 35 23-26 78 2d 56 0b c7 40 af   .hb2..5#&x-V..@.
    0030 - f9 27 ed 9d 71 c9 de 1b-40 d7 91 e4 a7 bb eb 3c   .'..q...@......<
    0040 - 9c 36 42 62 bc 22 50 ab-ec 81 66 f2 e2 19 3c 14   .6Bb."P...f...<.
    0050 - 4f fd ea 8b fb 50 f0 fa-ca 15 bc 85 6a 38 5b 42   O....P......j8[B
    0060 - c9 30 f4 7e 6b 25 e0 16-42 93 37 9e 73 30 88 ef   .0.~k%..B.7.s0..
    0070 - d9 8e 68 62 b4 02 50 ea-5f d2 1d bd fc 95 d1 4f   ..hb..P._......O
    0080 - 3e ab 68 ae da 98 d9 25-62 a9 4e 09 51 0f 11 9a   >.h....%b.N.Q...
    0090 - 78 65 d5 ac e6 58 c0 42-47 90 ce ea 93 4f 39 b6   xe...X.BG....O9.

    Start Time: 1429561438
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 smtp.obx.de Welcome to OIS ESMTP Server - All your actions are logged. Abuses will be reported to your ISP. Be well. You have been warned!



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 23 April 2015 at 8:17am
Of course did we a restart of the spamFilter Service.
But the tls1 and ssl_v3 ist still working.
We fixed it now over a blocking in our firewall (DELL SonicWall).
So, your test was after the blocking. However, spamFilter itself is'nt secure!
 


Posted By: LogSat
Date Posted: 23 April 2015 at 2:50pm
ois, I apologize, you are absolutely right - we duplicated the issue. There has been a regression error starting from a previous version that caused that setting to not being read from the .ini file anymore. We will have a fix within the next few hours.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: LogSat
Date Posted: 23 April 2015 at 10:46pm
The issue has been fixed and the patch will be publicly released within the next 48 hours while we complete Quality Assurance for it. Should you need it sooner we'll be glad to provide it to you.

Thanks again for reporting this.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 05 May 2015 at 10:33am
What is this?

05.05.15 16:02:44:507 -- (255717888) Connection from: 212.62.77.230  -  Originating country : Germany
05.05.15 16:02:44:554 -- (255717888) Received STARTTLS command
05.05.15 16:02:44:570 -- (255717888) Disconnect
05.05.15 16:02:44:570 -- (255717888) IdSMTPServerException non-critical error: Error accepting connection with SSL. -- error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol



Posted By: LogSat
Date Posted: 05 May 2015 at 12:26pm
These errors are logged when a client is attempting to connect using a cipher not supported/allowed by SpamFilter. If they for example try to connect using the older/unsafe SSLv2, this non-critical error will be logged.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 05 May 2015 at 12:41pm


Posted By: ois
Date Posted: 05 May 2015 at 12:47pm
Ok,  I understand, but is there a possibility to switch to a unsafe mode to accept this connection?
Best within a WhiteList?
The Problem is, a very important custumer didn't receive mails, after I installed 4.87.0.133 and
EnableTLSSupport=1




Posted By: LogSat
Date Posted: 05 May 2015 at 2:18pm
Sorry, that cannot be done. The enabled protocols/ciphers are determined upon listener startup, so they can't be customized per TCP connection. Well-behaved SMTP servers should file over to non-SSL/non-TLS connections if they can't make an encrypted connection, unless they were configured for security reasons to require an encrypted connection. However if they were configured like that for security reasons, then they would not be using insecure/vulnerable protocols...

If the failover to non-SSL/TLS is not working, besides disabling TLS support completely, you could try setting up another SpamFilter instance listening on a different IP, making that your secondary/tertiary MX record, and configuring that one with "EnableTLSSupport=0" to disable TLS support. The server that is using the older SSL protocols should then fail with the primary MX and connect to this secondary MX (as long as they respect the RFC and do try the secondary MX record).

In regards to the SpamFilter license, you can run as many instances of SpamFilter as you want on the same server using just one license. We require separate licenses only if you install SpamFilter on separate servers.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 06 May 2015 at 5:26am
There is the same issue with emails from paypal.com with "EnableTLSSupport=1"
Are you shure this ok?
Meanwhile i configured
"EnableTLSSupport=0"
But this is'nt the solution i have do have here.

Regards, Fritz



Posted By: LogSat
Date Posted: 06 May 2015 at 11:10pm
We're not aware of any issues specific with PayPal - we'll look into it.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ois
Date Posted: 07 May 2015 at 6:57am
Here's the log:
05.05.15 14:00:22:039 -- (168694128) Detected TCP Connection: 173.0.84.227 on port: 25
05.05.15 14:00:22:039 -- (168694128) Connection from: 173.0.84.227  -  Originating country : United States
05.05.15 14:00:22:415 -- (168694128) Received STARTTLS command
05.05.15 14:00:22:555 -- (168694128) Disconnect
05.05.15 14:00:22:571 -- (168694128) IdSMTPServerException non-critical error: Error accepting connection with SSL. -- error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

mx2.slc.paypal.com [173.0.84.227]
This mails-server sends transaction mails to merchants.
It is very impotant to our customers.





Print Page | Close Window