On 2013.10.21. 23:31, Viktor Dukhovni wrote: > > Once again after the handshake completes. > > When I try: > > $ posttls-finger -t30 -T 180 -c -Ldebug "[mail.co.inbox.lv]" > posttls-finger: initializing the client-side TLS engine > posttls-finger: Connected to mail.co.inbox.lv[195.13.218.205]:25 > posttls-finger: setting up TLS connection to > mail.co.inbox.lv[195.13.218.205]:25 > posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: TLS cipher list > "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" > posttls-finger: SSL_connect:before/connect initialization > posttls-finger: SSL_connect:SSLv2/v3 write client hello A > posttls-finger: SSL_connect:SSLv3 read server hello A > posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: depth=0 verify=0 > subject=/C=LV/ST=VIDZEME/L=RIGA/O=SIA > INBOKSS/CN=office.co.inbox.lv/emailAddress=adm...@co.inbox.lv > posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: depth=0 verify=0 > subject=/C=LV/ST=VIDZEME/L=RIGA/O=SIA > INBOKSS/CN=office.co.inbox.lv/emailAddress=adm...@co.inbox.lv > posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: depth=0 verify=0 > subject=/C=LV/ST=VIDZEME/L=RIGA/O=SIA > INBOKSS/CN=office.co.inbox.lv/emailAddress=adm...@co.inbox.lv > posttls-finger: SSL_connect:SSLv3 read server certificate A > posttls-finger: SSL_connect:SSLv3 read server done A > posttls-finger: SSL_connect:SSLv3 write client key exchange A > posttls-finger: SSL_connect:SSLv3 write change cipher spec A > posttls-finger: SSL_connect:SSLv3 write finished A > posttls-finger: SSL_connect:SSLv3 flush data > posttls-finger: SSL_connect:SSLv3 read finished A > posttls-finger: certificate verification failed for > mail.co.inbox.lv[195.13.218.205]:25: untrusted issuer /C=LV/ST=VIDZEME/O=SIA > INBOKSS/CN=*.inbox.lv/emailAddress=adm...@co.inbox.lv > posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: > subject_CN=office.co.inbox.lv, issuer_CN=*.inbox.lv, > fingerprint=F6:57:C5:1E:51:82:15:E6:2B:E5:D7:A2:2C:1E:91:27:C5:B5:40:02, > pkey_fingerprint=C4:B4:12:4B:0F:1A:53:35:6B:27:70:D5:60:19:16:0B:66:48:B4:DD > posttls-finger: Untrusted TLS connection established to > mail.co.inbox.lv[195.13.218.205]:25: TLSv1.1 with cipher RC4-MD5 (128/128 > bits) > > I get RC4-MD5, which is likely the only working ciphersuite on this > server. Make sure your smtp_tls_loglevel=1, and report the "TLS > connection established" log entries. > > When I set the ciphers to "high" for this destination, I get: > > ... > posttls-finger: Untrusted TLS connection established to > mail.co.inbox.lv[195.13.218.205]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 > bits) > posttls-finger: SSL3 alert write:fatal:protocol version > posttls-finger: warning: TLS library problem: 28603:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version > number:/home/builds/ab/HEAD/src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:339: > posttls-finger: warning: lost connection while sending QUIT command > > So this is definitely a version of the broken Windows TLS ciphersuite > problem. If you must use TLS with this server, disable TLSv1.2 > and 3DES, allow medium grade ciphers (i.e. RC4) and make sure your > policy tables, ... are postmapped.
it was clear from begining that disabling tls1.2 fixes the issue. the question is if it possible to fix the problem mangling cipher suites list without complete tls1.2 removing ? where tool posttls-finger may be obtained ? > > Do tell the remote site administrator their server is a mess. >
