Re: [Assp-test] Couldn't upgrade to TLS for client

[Grayhat]

:: On Fri, 3 Jun 2016 12:29:01 +0200
:: <20160603122901.7...@gmx.net>
:: Grayhat  wrote:

> :: On Fri, 3 Jun 2016 10:17:58 +
> :: <5ad00d80569e0f4f9a12bbb01f00ee795a868...@bcsw-smx07.mymhp.net>
> :: Martin Voßloh  wrote:
> 
> > Hi,
> >   
> > it´s possible that the entry is going wrong in this mail?
> > 
> > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
> > 
> > the "k" in front of some entrys?  
> 
> no, the "k" is correct, stands for "key exchange" and is accepted by
> OpenSSL w/o problems (also tried it with other apps using OpenSSL to
> implement SSL support)

notice that, using the above string, you'll offer the following ciphers

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.2  128 bits  RC4-SHA
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.1  128 bits  RC4-SHA
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.0  128 bits  RC4-SHA

if using a normal certificate, if instead you have an ECDSA enabled
certificate, you'll also offer the following ciphers in addition to
the above (and preferred)

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256

as you see, the setup offers the stronger ciphers firts while still
mantaining support for weaker, older ones as a last resource which
helps mantaining compatibility with older clients


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

[Grayhat]

:: On Fri, 3 Jun 2016 10:17:58 +
:: <5ad00d80569e0f4f9a12bbb01f00ee795a868...@bcsw-smx07.mymhp.net>
:: Martin Voßloh  wrote:

> Hi,
> 
> it´s possible that the entry is going wrong in this mail?  
> 
> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
> 
> the "k" in front of some entrys?

no, the "k" is correct, stands for "key exchange" and is accepted by
OpenSSL w/o problems (also tried it with other apps using OpenSSL to
implement SSL support)


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

[Martin Voßloh]

Hi,

it´s possible that the entry is going wron in this mail?

kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the "k" in front of some entrys?

Like those
https://www.kuketz-blog.de/nsa-abhoersichere-ssl-verschluesselung-fuer-apache-und-nginx/

Regards
Martin

-Ursprüngliche Nachricht-
Von: Grayhat [mailto:gray...@gmx.net] 
Gesendet: Freitag, 3. Juni 2016 09:07
An: assp-test@lists.sourceforge.net
Betreff: Re: [Assp-test] Couldn't upgrade to TLS for client

:: On Thu, 2 Jun 2016 11:55:38 +
:: <5ad00d80569e0f4f9a12bbb01f00ee795a865...@bcsw-smx07.mymhp.net>
:: Martin Voßloh <martin.voss...@mhp.com> wrote:

> Hello,
> 
> I have very often this error in my logs:
> Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for 
> client XXX.XXX.XXX.XXX:
> 
> These settings I have for: SSL version used for transmission
> (SSL_version) SSLv23:!SSLv3:!SSLv2

first of all, try the following

DoTLS   do TLS
SSL_version SSLv23:!SSLv3:!SSLv2
SSL_cipher_list 
kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the above will give you a decent cipher suites combo offering strong ciphers 
first but allowing to downgrade to weak ones in case the remote client doesn't 
support the stronger ones; sure, you may still see some "TLS" messages, but in 
such a case, those will probably come from  very old clients which don't 
support TLS and only support "SSLvX" (or from bots trying to exploit the SSL 
bugs to extract infos) so, just ignore those errors :)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic 
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning 
reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

[Grayhat]

:: On Thu, 2 Jun 2016 11:55:38 +
:: <5ad00d80569e0f4f9a12bbb01f00ee795a865...@bcsw-smx07.mymhp.net>
:: Martin Voßloh  wrote:

> Hello,
> 
> I have very often this error in my logs:
> Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for
> client XXX.XXX.XXX.XXX:
> 
> These settings I have for: SSL version used for transmission
> (SSL_version) SSLv23:!SSLv3:!SSLv2

first of all, try the following

DoTLS   do TLS
SSL_version SSLv23:!SSLv3:!SSLv2
SSL_cipher_list 
kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the above will give you a decent cipher suites combo offering strong
ciphers first but allowing to downgrade to weak ones in case the remote
client doesn't support the stronger ones; sure, you may still see some
"TLS" messages, but in such a case, those will probably come from  very
old clients which don't support TLS and only support "SSLvX" (or from
bots trying to exploit the SSL bugs to extract infos) so, just ignore
those errors :)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

[Martin Voßloh]

Hi Pontus,

Thx for your reply.

So I can ignore these Informations.

Regards
Martin



-Ursprüngliche Nachricht-
Von: Pontus Hellgren [mailto:pontus.hellg...@scandinavianhosting.se] 
Gesendet: Donnerstag, 2. Juni 2016 14:29
An: Martin Voßloh <martin.voss...@mhp.com>
Betreff: VB: [Assp-test] Couldn't upgrade to TLS for client

I case this do not reach the list.

I feel I have been muted/blocked from the list :-( None of my latest post have 
reached the list.

Regards,
Pontus

-Ursprungligt meddelande-
Från: Pontus Hellgren [mailto:pontus.hellg...@scandinavianhosting.se]
Skickat: den 2 juni 2016 14:27
Till: 'ASSP development mailing list' <assp-test@lists.sourceforge.net>
Ämne: SV: [Assp-test] Couldn't upgrade to TLS for client

Hi Martin!

I believe (and anyone can correct me) that you should not allow your TLS/SSL to 
run low security handshakes or connections.
This might expose your certificate. (due to low encryption) We do not allow 
anything lower than TLSv1 for TLS sessions.
We get the "Error" in our logs to but we see these as a "Warning/Notice"
ourselfs.
The sender have to retort to plain text rather than we expose our certificate 
to malice.

I see this a lot from Asian and African "senders/clients" and probably a couple 
of botnets trying this.
No newer client should refuse using TLSv1 or higher.
My guess is it's some kind of "fishing" to make you lower your security.
We don't!

I may stand corrected,
Pontus

-Ursprungligt meddelande-
Från: Martin Voßloh [mailto:martin.voss...@mhp.com]
Skickat: den 2 juni 2016 13:56
Till: ASSP development mailing list <assp-test@lists.sourceforge.net>
Ämne: [Assp-test] Couldn't upgrade to TLS for client

Hello,

I have very often this error in my logs:
Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for client
XXX.XXX.XXX.XXX:

These settings I have for: SSL version used for transmission (SSL_version)
SSLv23:!SSLv3:!SSLv2

Should I try this :
In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2'
might help.

Or did I have another problem?

Thy and Regards
Martin

ASSP version 2.5.2(16142)





--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic 
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning 
reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test





--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test