Disable TLS1_0 and SSLv3 |
Post Reply 
|
| Author | |
ois 
Newbie 
Joined: 09 August 2011 Status: Offline Points: 16 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Disable TLS1_0 and SSLv3Posted: 20 April 2015 at 11:42am |
|
Hi,
I've tried to disable TLS1_0 with the option DisableTLSv1_0=1 It doesn't work. I checked it with: openssl s_client -connect smtp.obx.de:465 -tls1 It is a big issue! I've very big trouble with the goverment. I have to stop TLS1_0 and SSLv3 and also fix the Forward Secrecy. I hope you can give us some help, tnx. Regards, Fritz |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 April 2015 at 4:36pm |
|
ois,
Had you restarted SpamFilter after making the change in the SpamFilter.ini file? I just checked your server, and TLSv1.0 is currently disabled. If we attempt a connection with TLS1.0 using the command you reported, you will see that there is no certificate exchange occurring, and that the s_client is unable to actually establish a connection and complete the SSL handshake - as you can see below in fact you never receive SpamFilter's welcome banner - the connection is terminated: openssl s_client -connect smtp.obx.de:465 -tls1 CONNECTED(00000003) write:errno=54 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1429561411 Timeout : 7200 (sec) Verify return code: 0 (ok) --- If you instead try issuing the same command without the -tls1 option, thus allowing the use of higher ciphers, you will see the certificates exchanged, the TLSv1.2 protocol being used, and the SSL handshake completes successfully as s_client will display SpamFilter's welcome banner (in green below): openssl s_client -connect smtp.obx.de:465 CONNECTED(00000003) depth=0 C = DE, ST = BY, L = Strasskirchen, O = OIS eK, OU = Div. Internet, CN = smtp.obx.de, emailAddress = webmaster@obx.de verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, ST = BY, L = Strasskirchen, O = OIS eK, OU = Div. Internet, CN = smtp.obx.de, emailAddress = webmaster@obx.de verify return:1 --- Certificate chain 0 s:/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de i:/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de --- Server certificate -----BEGIN CERTIFICATE----- MIID+TCCAuGgAwIBAgIJAN9PnJx6gUD3MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD VQQGEwJERTELMAkGA1UECAwCQlkxFjAUBgNVBAcMDVN0cmFzc2tpcmNoZW4xDzAN BgNVBAoMBk9JUyBlSzEWMBQGA1UECwwNRGl2LiBJbnRlcm5ldDEUMBIGA1UEAwwL c210cC5vYnguZGUxHzAdBgkqhkiG9w0BCQEWEHdlYm1hc3RlckBvYnguZGUwHhcN MTQwOTE3MTQ0NjQzWhcNMjQwOTE0MTQ0NjQzWjCBkjELMAkGA1UEBhMCREUxCzAJ BgNVBAgMAkJZMRYwFAYDVQQHDA1TdHJhc3NraXJjaGVuMQ8wDQYDVQQKDAZPSVMg ZUsxFjAUBgNVBAsMDURpdi4gSW50ZXJuZXQxFDASBgNVBAMMC3NtdHAub2J4LmRl MR8wHQYJKoZIhvcNAQkBFhB3ZWJtYXN0ZXJAb2J4LmRlMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA2zcLbYN9rcH8xRtQWK8Ng+I6Ay0UadRtd5whYKKs etbzLhhKssgoxzzO3BZWiApVpERGuyrAhx+6HzxuHVSvZaQUhKPjR3TDDu1bSoPv ZkAvb/USZDOdJd5X/pIjRgqa206xMW0jwIYGZLXkPv0N16KTqv9XfsUTE2KP9qJH 7vhNq3lsmRl1mRaLNUgbXu/4uxFTJ0j2y4qyAS9I+DbhjUTHb9szkU01FV+eu2OT YuoYveilzA4bzvJZbkZEM62TN5M4mxuu42UG7Qz7fUcR1Uy67wd9RCxe0nTDebBU 3oLd3d3M/DQxkBC/fQsmKqWofvixbbijGwt4USn3z5/eSQIDAQABo1AwTjAdBgNV HQ4EFgQUy0YZQB3QpWpun6F/k0tpP+s3a+wwHwYDVR0jBBgwFoAUy0YZQB3QpWpu n6F/k0tpP+s3a+wwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAWFfK 4X41itAFNx0USBe3yuejMveY9F15D0vP+YR0RFhq7UuOqBbyerN6iWLzj5YyDerR CjIZuD9q55C3RdOUKZX4zLZJ+hWBlQSMcCzmj/nrCmsBqD6ihu57Be2/c4U1TOB3 g5MwEaw6t3e9V9C7g9LcwiEu1U75uPbulodYOIrRicHiC4c0AZPG7JdJOkjjxv8x 4wEBghnFc6HJCtsI+tPn3N8h3lFgoFQ5ErTo4M35ZLJreXmwW+loy8Ra/GjKAH7L 6HwAfpTAD2CLhxFE1fPEZavAAX376vCM4D7plHqU89D61g4ptmhZAKGzF8DOCi2d y6No+fkEsLqfi9MMmg== -----END CERTIFICATE----- subject=/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de issuer=/C=DE/ST=BY/L=Strasskirchen/O=OIS eK/OU=Div. Internet/CN=smtp.obx.de/emailAddress=webmaster@obx.de --- No client certificate CA names sent --- SSL handshake has read 1334 bytes and written 640 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: 97B56087C52E63BD1EAC6B09831F9C55417D6695A110091DDD94D1B318987D82 Session-ID-ctx: Master-Key: 01D6B78695DE51BCA4D90FAC0A7FC89765671FDBFE82AF71152616B595A3428C3FFA8CA28BFFAA3E97866976F20AB0CD Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - a4 93 80 51 48 32 e5 ad-eb c9 6e d6 7d 4d 36 b0 ...QH2....n.}M6. 0010 - f5 0a 80 3d 1f 74 c9 46-dd c4 0e a4 21 d7 13 48 ...=.t.F....!..H 0020 - d2 68 62 32 fc 14 35 23-26 78 2d 56 0b c7 40 af .hb2..5#&x-V..@. 0030 - f9 27 ed 9d 71 c9 de 1b-40 d7 91 e4 a7 bb eb 3c .'..q...@......< 0040 - 9c 36 42 62 bc 22 50 ab-ec 81 66 f2 e2 19 3c 14 .6Bb."P...f...<. 0050 - 4f fd ea 8b fb 50 f0 fa-ca 15 bc 85 6a 38 5b 42 O....P......j8[B 0060 - c9 30 f4 7e 6b 25 e0 16-42 93 37 9e 73 30 88 ef .0.~k%..B.7.s0.. 0070 - d9 8e 68 62 b4 02 50 ea-5f d2 1d bd fc 95 d1 4f ..hb..P._......O 0080 - 3e ab 68 ae da 98 d9 25-62 a9 4e 09 51 0f 11 9a >.h....%b.N.Q... 0090 - 78 65 d5 ac e6 58 c0 42-47 90 ce ea 93 4f 39 b6 xe...X.BG....O9. Start Time: 1429561438 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 220 smtp.obx.de Welcome to OIS ESMTP Server - All your actions are logged. Abuses will be reported to your ISP. Be well. You have been warned! Edited by LogSat - 20 April 2015 at 4:37pm |
|
|
|
|
ois
Newbie
Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 April 2015 at 8:17am |
|
Of course did we a restart of the spamFilter Service.
But the tls1 and ssl_v3 ist still working. We fixed it now over a blocking in our firewall (DELL SonicWall). So, your test was after the blocking. However, spamFilter itself is'nt secure! |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 April 2015 at 2:50pm |
|
ois, I apologize, you are absolutely right - we duplicated the issue. There has been a regression error starting from a previous version that caused that setting to not being read from the .ini file anymore. We will have a fix within the next few hours.
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 April 2015 at 10:46pm |
|
The issue has been fixed and the patch will be publicly released within the next 48 hours while we complete Quality Assurance for it. Should you need it sooner we'll be glad to provide it to you.
Thanks again for reporting this.
|
|
|
|
|
ois
Newbie
Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2015 at 10:33am |
|
What is this? 05.05.15 16:02:44:507 -- (255717888) Connection from: 212.62.77.230 - Originating country : Germany 05.05.15 16:02:44:554 -- (255717888) Received STARTTLS command 05.05.15 16:02:44:570 -- (255717888) Disconnect 05.05.15 16:02:44:570 -- (255717888) IdSMTPServerException non-critical error: Error accepting connection with SSL. -- error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2015 at 12:26pm |
|
These errors are logged when a client is attempting to connect using a cipher not supported/allowed by SpamFilter. If they for example try to connect using the older/unsafe SSLv2, this non-critical error will be logged.
|
|
|
|
|
ois
Newbie
Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2015 at 12:41pm |
|
|
|
|
|
|
ois
Newbie
Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2015 at 12:47pm |
|
Ok, I understand, but is there a possibility to switch to a unsafe mode to accept this connection?
Best within a WhiteList? The Problem is, a very important custumer didn't receive mails, after I installed 4.87.0.133 and EnableTLSSupport=1 |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2015 at 2:18pm |
|
Sorry, that cannot be done. The enabled protocols/ciphers are determined upon listener startup, so they can't be customized per TCP connection. Well-behaved SMTP servers should file over to non-SSL/non-TLS connections if they can't make an encrypted connection, unless they were configured for security reasons to require an encrypted connection. However if they were configured like that for security reasons, then they would not be using insecure/vulnerable protocols...
If the failover to non-SSL/TLS is not working, besides disabling TLS support completely, you could try setting up another SpamFilter instance listening on a different IP, making that your secondary/tertiary MX record, and configuring that one with "EnableTLSSupport=0" to disable TLS support. The server that is using the older SSL protocols should then fail with the primary MX and connect to this secondary MX (as long as they respect the RFC and do try the secondary MX record). In regards to the SpamFilter license, you can run as many instances of SpamFilter as you want on the same server using just one license. We require separate licenses only if you install SpamFilter on separate servers.
|
|
|
|
|
ois
Newbie
Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 May 2015 at 5:26am |
|
There is the same issue with emails from paypal.com with
"EnableTLSSupport=1"
Are you shure this ok? Meanwhile i configured "EnableTLSSupport=0" But this is'nt the solution i have do have here. Regards, Fritz |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 May 2015 at 11:10pm |
|
We're not aware of any issues specific with PayPal - we'll look into it.
|
|
|
|
|
ois
Newbie
Joined: 09 August 2011 Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 May 2015 at 6:57am |
|
Here's the log:
05.05.15 14:00:22:039 -- (168694128) Detected TCP Connection: 173.0.84.227 on port: 25 05.05.15 14:00:22:039 -- (168694128) Connection from: 173.0.84.227 - Originating country : United States 05.05.15 14:00:22:415 -- (168694128) Received STARTTLS command 05.05.15 14:00:22:555 -- (168694128) Disconnect 05.05.15 14:00:22:571 -- (168694128) IdSMTPServerException non-critical error: Error accepting connection with SSL. -- error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol mx2.slc.paypal.com [173.0.84.227] This mails-server sends transaction mails to merchants. It is very impotant to our customers. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.348 seconds.