On Thu, Jan 21, 2016 at 10:55:19PM -0500, Curtis Villamizar wrote:
> It took a while to get a dumpfile. My tcpdump command only covered a
> subset of comcast.net mailhosts.
>
> This has a failed TLS negotiation and a few packets from a next
> attempt. The log entry below covers this first connection.
Comcast's Client Hello:
$ tshark -V -r file.pcap -T text
...
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 110
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 106
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Jan 21, 2016 21:42:08.000000000
random_bytes:
F015DF3A10F02A3715060148AFF41E28315A20155496A43A...
Session ID Length: 0
Cipher Suites Length: 18
Cipher Suites (9 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
...
No sign of ECDSA support, or AESGCM, or anything else bleeding
edge. Similarly configured MTAs will not be able to complete TLS
handshakes with your server unless you also deploy an RSA certificate.
--
Viktor.