On Mon, Nov 25, 2024 at 11:52:07AM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> This is Debian 12, postfix 3.7.11 and SSL 3.0.15.
Does Debian do anything similar to RedHat's crypto policy?
> > Note that these ciphers don't enable "forward-secrecy", they use RSA key
> > exchange:
> >
> > $ openssl ciphers -V -stdname -s -tls1_2 -v 'HIGH+AES+kRSA+CBC:@STRENGTH'
> > 0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 -
> > AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256)
> > Mac=SHA256
> > 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA -
> > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256)
> > Mac=SHA1
> > 0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 -
> > AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)
> > Mac=SHA256
> > 0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA -
> > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128)
> > Mac=SHA1
> >
> > So, my money is on RSA key exchange being disabled in your OpenSSL,
> > unless there are other Postfix settings you've not shared that do that.
>
> I can see these ciphers when I fed the command above with contents of
> tls_medium_cipherlist/tls_high_cipherlist
Have you tries connecting to this server with:
$ openssl s_client -connect <hostname>:25 \
-starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH'
Seems like determining whether the ciphers could interoperate is the
first step.
> Looking back at pcap output:
>
> Alert Message
> Level: Fatal (2)
> Description: Handshake Failure (40)
That's not useful, without known which party sent the alert.
> Now I am not even sure it's problem of ciphers (don't that error produce
> different output?), can this be caused by other property?
>
> Signature Hash Algorithms (10 algorithms)
> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
> Signature Algorithm: SHA1 DSA (0x0202)
> Signature Algorithm: ecdsa_sha1 (0x0203)
> Signature Algorithm: MD5 RSA (0x0101)
Let's avoid random guesses.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
