Re: [Assp-test] TLS problems of connectivity?
>451 Requested action aborted: local error in processing This reply is sent by assp if the MTA has closed the connection unexpected. Yes, this may caused by connectivity problems. >OpenSSL-lib 1.0.1f 6 Jan 2014 If not for connectivity problems - but for security reasons I would upgrade to any of the latest 1.0.2x Minimum version is 1.0.1h ! I use 'OpenSSL-lib 1.0.2c 12 Jun 2015' without any problems. All outgoing connections are using SSL and all connections to the local MTA are using TLS. SSL_version:=SSLv2/3:!SSLv3:!SSLv2 SSL_cipher_list:=DEFAULT:!aNULL:!RC4:!MD5 I get several TLS connection errors a day, because a connected client tries to use SSLv3 (which is not allowed). Thomas Von:"Pontus Hellgren" An: Datum: 07.04.2016 15:54 Betreff:[Assp-test] TLS problems of connectivity? Hi there! Having some TLS problems. Question: Will this "OpenSSL-lib 1.0.1f 6 Jan 2014 1.0.1f / 1.0.1h" be a major concern and result in a lot of "451 Requested action aborted: local error in processing" or is it due to bad connectivity in the TLS session? Maybe both? It mainly happen when a mail is forwarded or there is an attatchment, usaly a PDF document, and we do not block PDF in ASSP. Now running ASSP version 2.5.2(16097) but these problems relate further back(according to logs) so now I need to know how to resolv it ;-) Do I just need to upgrade OpenSSL-lib? Or, how do I debug this further so I can find out what happens with those connections dropping using TLS. Regards, Pontus -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] TLS problems of connectivity?
Ok, anyway to debug log this in anyway to resolve Whats wrong? Since I have one client running Thunderbird on Windows 10 which gets this problem more or less everytime he attaches a file(on Any Type of internet Connection) I should be able to get a result quite fast. We run assp on latest ubuntu 14.04 LTS with latest patches from ubuntu so the version of Openssl-lib should be safe, allthoug not latest version, right? /Pontus Thomas Eckardt skrev: (12 april 2016 11:23:57 CEST) >>451 Requested action aborted: local error in processing > >This reply is sent by assp if the MTA has closed the connection >unexpected. >Yes, this may caused by connectivity problems. > >>OpenSSL-lib 1.0.1f 6 Jan 2014 > >If not for connectivity problems - but for security reasons I would >upgrade to any of the latest 1.0.2x >Minimum version is 1.0.1h ! > >I use 'OpenSSL-lib 1.0.2c 12 Jun 2015' without any problems. All >outgoing >connections are using SSL and all connections to the local MTA are >using >TLS. > >SSL_version:=SSLv2/3:!SSLv3:!SSLv2 >SSL_cipher_list:=DEFAULT:!aNULL:!RC4:!MD5 > >I get several TLS connection errors a day, because a connected client >tries to use SSLv3 (which is not allowed). > >Thomas > > > > >Von:"Pontus Hellgren" >An: >Datum: 07.04.2016 15:54 >Betreff:[Assp-test] TLS problems of connectivity? > > > >Hi there! > >Having some TLS problems. > >Question: >Will this "OpenSSL-lib 1.0.1f 6 Jan 2014 1.0.1f / >1.0.1h" >be a major >concern and result in a lot of "451 Requested action aborted: local >error >in >processing" or is it due to bad connectivity in the TLS session? >Maybe both? > >It mainly happen when a mail is forwarded or there is an attatchment, >usaly >a PDF document, and we do not block PDF in ASSP. > >Now running ASSP version 2.5.2(16097) but these problems relate further >back(according to logs) so now I need to know how to resolv it ;-) > >Do I just need to upgrade OpenSSL-lib? >Or, how do I debug this further so I can find out what happens with >those >connections dropping using TLS. > >Regards, >Pontus > > > > > >-- >___ >Assp-test mailing list >Assp-test@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > >DISCLAIMER: >*** >This email and any files transmitted with it may be confidential, >legally >privileged and protected in law and are intended solely for the use of >the > >individual to whom it is addressed. >This email was multiple times scanned for viruses. There should be no >known virus in this email! >*** > > > > > >-- >Find and fix application performance issues faster with Applications >Manager >Applications Manager provides deep performance insights into multiple >tiers of >your business applications. It resolves application problems quickly >and >reduces your MTTR. Get your free trial! >https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > > >___ >Assp-test mailing list >Assp-test@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/assp-test -- Skickat från min Android-telefon med K-9 E-post. Ursäkta min fåordighet.-- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] TLS problems of connectivity?
I got several reports about destroyed attachments in the forum. All of the users used a linux and all of them used an OpenSSL Lib 1.0.1c/d/e - so 1.0.1f is recommended (but not tested!). I know 1.0.2c is working well with Net::SSLeay 1.72. Thomas Von:"pon...@scandinavianhosting.se" An: ASSP development mailing list Datum: 12.04.2016 13:54 Betreff:Re: [Assp-test] TLS problems of connectivity? Ok, anyway to debug log this in anyway to resolve Whats wrong? Since I have one client running Thunderbird on Windows 10 which gets this problem more or less everytime he attaches a file(on Any Type of internet Connection) I should be able to get a result quite fast. We run assp on latest ubuntu 14.04 LTS with latest patches from ubuntu so the version of Openssl-lib should be safe, allthoug not latest version, right? /Pontus Thomas Eckardt skrev: (12 april 2016 11:23:57 CEST) >>451 Requested action aborted: local error in processing > >This reply is sent by assp if the MTA has closed the connection >unexpected. >Yes, this may caused by connectivity problems. > >>OpenSSL-lib 1.0.1f 6 Jan 2014 > >If not for connectivity problems - but for security reasons I would >upgrade to any of the latest 1.0.2x >Minimum version is 1.0.1h ! > >I use 'OpenSSL-lib 1.0.2c 12 Jun 2015' without any problems. All >outgoing >connections are using SSL and all connections to the local MTA are >using >TLS. > >SSL_version:=SSLv2/3:!SSLv3:!SSLv2 >SSL_cipher_list:=DEFAULT:!aNULL:!RC4:!MD5 > >I get several TLS connection errors a day, because a connected client >tries to use SSLv3 (which is not allowed). > >Thomas > > > > >Von:"Pontus Hellgren" >An: >Datum: 07.04.2016 15:54 >Betreff:[Assp-test] TLS problems of connectivity? > > > >Hi there! > >Having some TLS problems. > >Question: >Will this "OpenSSL-lib 1.0.1f 6 Jan 2014 1.0.1f / >1.0.1h" >be a major >concern and result in a lot of "451 Requested action aborted: local >error >in >processing" or is it due to bad connectivity in the TLS session? >Maybe both? > >It mainly happen when a mail is forwarded or there is an attatchment, >usaly >a PDF document, and we do not block PDF in ASSP. > >Now running ASSP version 2.5.2(16097) but these problems relate further >back(according to logs) so now I need to know how to resolv it ;-) > >Do I just need to upgrade OpenSSL-lib? >Or, how do I debug this further so I can find out what happens with >those >connections dropping using TLS. > >Regards, >Pontus > > > > > >-- >___ >Assp-test mailing list >Assp-test@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > >DISCLAIMER: >*** >This email and any files transmitted with it may be confidential, >legally >privileged and protected in law and are intended solely for the use of >the > >individual to whom it is addressed. >This email was multiple times scanned for viruses. There should be no >known virus in this email! >*** > > > > > >-- >Find and fix application performance issues faster with Applications >Manager >Applications Manager provides deep performance insights into multiple >tiers of >your business applications. It resolves application problems quickly >and >reduces your MTTR. Get your free trial! >https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > > >___ >Assp-test mailing list >Assp-test@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/assp-test -- Skickat från min Android-telefon med K-9 E-post. Ursäkta min fåordighet.-- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! **
Re: [Assp-test] TLS problems of connectivity?
:: On Tue, 12 Apr 2016 11:23:57 +0200 :: :: Thomas Eckardt wrote: > SSL_version:=SSLv2/3:!SSLv3:!SSLv2 > SSL_cipher_list:=DEFAULT:!aNULL:!RC4:!MD5 in case someone is interested, here's my config (watch the wrap) DoTLS := do TLS SSL_version := SSLv23:!SSLv3:!SSLv2 SSL_cipher_list := kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED the above prioritizes strong ciphers while allowing a graceful fallback to weaker ones to mantain support for obsolete clients; it's serving me well and I feel like I can recommend it; the resulting ciphers offered by ASSP with the above config will then be the following Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.2 128 bits RC4-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.1 128 bits RC4-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.0 128 bits RC4-SHA as you see, the ciphers allow to fallback all the way down to RC4-SHA so allowing even really obsolete clients to connect over SSL; at the same time, the preferred ciphers are the strongest one offered, this means that up-to-date clients will have strong security HTH -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
