Re: [Assp-test] Couldn't upgrade to TLS for client
:: On Fri, 3 Jun 2016 12:29:01 +0200 :: <20160603122901.7...@gmx.net> :: Grayhatwrote: > :: On Fri, 3 Jun 2016 10:17:58 + > :: <5ad00d80569e0f4f9a12bbb01f00ee795a868...@bcsw-smx07.mymhp.net> > :: Martin Voßloh wrote: > > > Hi, > > > > it´s possible that the entry is going wrong in this mail? > > > > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED > > > > the "k" in front of some entrys? > > no, the "k" is correct, stands for "key exchange" and is accepted by > OpenSSL w/o problems (also tried it with other apps using OpenSSL to > implement SSL support) notice that, using the above string, you'll offer the following ciphers Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.2 128 bits RC4-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.1 128 bits RC4-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.0 128 bits RC4-SHA if using a normal certificate, if instead you have an ECDSA enabled certificate, you'll also offer the following ciphers in addition to the above (and preferred) ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 as you see, the setup offers the stronger ciphers firts while still mantaining support for weaker, older ones as a last resource which helps mantaining compatibility with older clients -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Couldn't upgrade to TLS for client
:: On Fri, 3 Jun 2016 10:17:58 + :: <5ad00d80569e0f4f9a12bbb01f00ee795a868...@bcsw-smx07.mymhp.net> :: Martin Voßlohwrote: > Hi, > > it´s possible that the entry is going wrong in this mail? > > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED > > the "k" in front of some entrys? no, the "k" is correct, stands for "key exchange" and is accepted by OpenSSL w/o problems (also tried it with other apps using OpenSSL to implement SSL support) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Couldn't upgrade to TLS for client
Hi, it´s possible that the entry is going wron in this mail? kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED the "k" in front of some entrys? Like those https://www.kuketz-blog.de/nsa-abhoersichere-ssl-verschluesselung-fuer-apache-und-nginx/ Regards Martin -Ursprüngliche Nachricht- Von: Grayhat [mailto:gray...@gmx.net] Gesendet: Freitag, 3. Juni 2016 09:07 An: assp-test@lists.sourceforge.net Betreff: Re: [Assp-test] Couldn't upgrade to TLS for client :: On Thu, 2 Jun 2016 11:55:38 + :: <5ad00d80569e0f4f9a12bbb01f00ee795a865...@bcsw-smx07.mymhp.net> :: Martin Voßloh <martin.voss...@mhp.com> wrote: > Hello, > > I have very often this error in my logs: > Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for > client XXX.XXX.XXX.XXX: > > These settings I have for: SSL version used for transmission > (SSL_version) SSLv23:!SSLv3:!SSLv2 first of all, try the following DoTLS do TLS SSL_version SSLv23:!SSLv3:!SSLv2 SSL_cipher_list kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED the above will give you a decent cipher suites combo offering strong ciphers first but allowing to downgrade to weak ones in case the remote client doesn't support the stronger ones; sure, you may still see some "TLS" messages, but in such a case, those will probably come from very old clients which don't support TLS and only support "SSLvX" (or from bots trying to exploit the SSL bugs to extract infos) so, just ignore those errors :) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Couldn't upgrade to TLS for client
:: On Thu, 2 Jun 2016 11:55:38 + :: <5ad00d80569e0f4f9a12bbb01f00ee795a865...@bcsw-smx07.mymhp.net> :: Martin Voßlohwrote: > Hello, > > I have very often this error in my logs: > Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for > client XXX.XXX.XXX.XXX: > > These settings I have for: SSL version used for transmission > (SSL_version) SSLv23:!SSLv3:!SSLv2 first of all, try the following DoTLS do TLS SSL_version SSLv23:!SSLv3:!SSLv2 SSL_cipher_list kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED the above will give you a decent cipher suites combo offering strong ciphers first but allowing to downgrade to weak ones in case the remote client doesn't support the stronger ones; sure, you may still see some "TLS" messages, but in such a case, those will probably come from very old clients which don't support TLS and only support "SSLvX" (or from bots trying to exploit the SSL bugs to extract infos) so, just ignore those errors :) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Couldn't upgrade to TLS for client
Hi Pontus, Thx for your reply. So I can ignore these Informations. Regards Martin -Ursprüngliche Nachricht- Von: Pontus Hellgren [mailto:pontus.hellg...@scandinavianhosting.se] Gesendet: Donnerstag, 2. Juni 2016 14:29 An: Martin Voßloh <martin.voss...@mhp.com> Betreff: VB: [Assp-test] Couldn't upgrade to TLS for client I case this do not reach the list. I feel I have been muted/blocked from the list :-( None of my latest post have reached the list. Regards, Pontus -Ursprungligt meddelande- Från: Pontus Hellgren [mailto:pontus.hellg...@scandinavianhosting.se] Skickat: den 2 juni 2016 14:27 Till: 'ASSP development mailing list' <assp-test@lists.sourceforge.net> Ämne: SV: [Assp-test] Couldn't upgrade to TLS for client Hi Martin! I believe (and anyone can correct me) that you should not allow your TLS/SSL to run low security handshakes or connections. This might expose your certificate. (due to low encryption) We do not allow anything lower than TLSv1 for TLS sessions. We get the "Error" in our logs to but we see these as a "Warning/Notice" ourselfs. The sender have to retort to plain text rather than we expose our certificate to malice. I see this a lot from Asian and African "senders/clients" and probably a couple of botnets trying this. No newer client should refuse using TLSv1 or higher. My guess is it's some kind of "fishing" to make you lower your security. We don't! I may stand corrected, Pontus -Ursprungligt meddelande- Från: Martin Voßloh [mailto:martin.voss...@mhp.com] Skickat: den 2 juni 2016 13:56 Till: ASSP development mailing list <assp-test@lists.sourceforge.net> Ämne: [Assp-test] Couldn't upgrade to TLS for client Hello, I have very often this error in my logs: Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for client XXX.XXX.XXX.XXX: These settings I have for: SSL version used for transmission (SSL_version) SSLv23:!SSLv3:!SSLv2 Should I try this : In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help. Or did I have another problem? Thy and Regards Martin ASSP version 2.5.2(16142) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test