Re: Eudora and ssl/tls and cyrus
Sorry about the late response, but I just got some time to look into this. Your fix allows Eudora to negotiate TLSv1, but does NOT fix the STARTTLS problem. I still can not get Eudora to do STARTTLS with an unmodified Cyrus. If you look closely at the log of your connection, you connected to an imaps daemon, meaning that you're doing what Eudora calls an Alternate Port connection (SSL wrapped IMAP on port 993). So, we're back to square one -- Eudora is still broken. Ken Nick Simicich wrote: I just successfully got Eudora to negotiate TLS with Cyrus. This applies to Eudora 5.1. A log extract which shows that I was able to connect in TLS is below --- you will have to trust me that I did it from Eudora. The way to accomplish this is to stop Eudora, and using an editor like emacs or notepad, edit the eudora.ini file. In the [Settings] part of the file, find a entry labeled SSLReceiveVersion If it is there, change the value specified to 0. If it is not there, add a line reading SSLReceiveVersion=0 Then start Eudora again. This parameter defaults to 6, which allows SSL Version 3 only. A setting of 0 allows any of the settings it will speak. 7 forces TLS 1.0, other settings force various other combinations. But 0 makes Eudora permissive and allows it to speak what the other end wants to speak, thus allowing it to use TLS version 1.0. Why Eudora decided to make this parameter default to 6, I have no idea. I believe that this will allow Eudora 5.1 to talk to an unmodified Cyrus. The FAQ should probably be changed to mention this parameter -- and maybe when people contact Eudora it should be to ask that the parameter be changed. Sep 27 22:37:40 parrot master[30495]: about to exec /usr/cyrus/bin/imapd Sep 27 22:37:40 parrot service-imaps[30495]: executed Sep 27 22:37:40 parrot imapd[30495]: accepted connection Sep 27 22:37:44 parrot imapd[30495]: starttls: TLSv1 with cipher DES-CBC3-SHA (1 68/168 bits) no authentication Sep 27 22:37:45 parrot imapd[30495]: login: glock.squawk.com[208.176.124.157] ni ck CRAM-MD5+TLS User logged in Sep 27 22:37:45 parrot imapd[30495]: seen_db: user nick opened /var/imap/user/n/ nick.seen Sep 27 22:37:45 parrot imapd[30495]: open: user nick opened INBOX -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Eudora and ssl/tls and cyrus
At 05:02 PM 10/3/2001 -0400, Ken Murchison wrote: Sorry about the late response, but I just got some time to look into this. Your fix allows Eudora to negotiate TLSv1, but does NOT fix the STARTTLS problem. I still can not get Eudora to do STARTTLS with an unmodified Cyrus. Well, I just ran a bunch of tests, and I'm pretty sure I know what confused me. If you simply change the connection method, it uses the old connection method, until and unless you change the server name. Once you do that, it will try and reconnect, but it is pretty badly hosed. During testing, I got my client into a state where it would not make any TLS connection. I tried a bunch of stuff. Finally, in desperation, I sent a message to my tls protected smtp server, and then I was able to do at least an alternate port connection. But if you have made a connection, even i you turn off alternate port, it still uses the alternate port. I think that was why I was confused. If you look closely at the log of your connection, you connected to an imaps daemon, meaning that you're doing what Eudora calls an Alternate Port connection (SSL wrapped IMAP on port 993). Because it says service-imaps? Yep, that is what was happening,even though I set it to required, starttls. I assumed it had flipped back to the primary port. I should have run ethereal on the network connection. So, we're back to square one -- Eudora is still broken. Yep. The only way it works is on the alternate port, which, I guess, is better than nothing. Ken Nick Simicich wrote: I just successfully got Eudora to negotiate TLS with Cyrus. This applies to Eudora 5.1. A log extract which shows that I was able to connect in TLS is below --- you will have to trust me that I did it from Eudora. The way to accomplish this is to stop Eudora, and using an editor like emacs or notepad, edit the eudora.ini file. In the [Settings] part of the file, find a entry labeled SSLReceiveVersion If it is there, change the value specified to 0. If it is not there, add a line reading SSLReceiveVersion=0 Then start Eudora again. This parameter defaults to 6, which allows SSL Version 3 only. A setting of 0 allows any of the settings it will speak. 7 forces TLS 1.0, other settings force various other combinations. But 0 makes Eudora permissive and allows it to speak what the other end wants to speak, thus allowing it to use TLS version 1.0. Why Eudora decided to make this parameter default to 6, I have no idea. I believe that this will allow Eudora 5.1 to talk to an unmodified Cyrus. The FAQ should probably be changed to mention this parameter -- and maybe when people contact Eudora it should be to ask that the parameter be changed. Sep 27 22:37:40 parrot master[30495]: about to exec /usr/cyrus/bin/imapd Sep 27 22:37:40 parrot service-imaps[30495]: executed Sep 27 22:37:40 parrot imapd[30495]: accepted connection Sep 27 22:37:44 parrot imapd[30495]: starttls: TLSv1 with cipher DES-CBC3-SHA (1 68/168 bits) no authentication Sep 27 22:37:45 parrot imapd[30495]: login: glock.squawk.com[208.176.124.157] ni ck CRAM-MD5+TLS User logged in Sep 27 22:37:45 parrot imapd[30495]: seen_db: user nick opened /var/imap/user/n/ nick.seen Sep 27 22:37:45 parrot imapd[30495]: open: user nick opened INBOX -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp -- War is an ugly thing, but it is not the ugliest of things. The decayed and degraded state of moral and patriotic feeling which thinks that nothing is worth war is much worse. A man who has nothing for which he is willing to fight, nothing he cares about more than his own personal safety, is a miserable creature who has no chance of being free, unless made so by the exertions of better men than himself. -- John Stuart Mill Nick Simicich - [EMAIL PROTECTED]
Re: Eudora and ssl/tls and cyrus
At 08:41 AM 9/28/2001 -0400, Jeremy Beker wrote: Any ideas as to where on the Mac version one would set this? I don't have a mac. I found this by looking at the on-line user's manual in the Eudora web site. Hmmm. The manual is in an hqx file, and winzip won't decompress it The manuals are pointed to by a web page off of http://www.eudora.com/email/docs/index.html. I tried downloading it twice and I guess that winzip can't deal with the file, it says that the binhex has no end. I also found the parameter in windows in the online help by doing a search for tls - that brought up the section on the Eudora INI file. Now, in the windows version, at least, there are huge numbers of things that can be set in the eudora.ini file - the filtering for the headings you see is controlled there. I don't know anyone who is a heavy Eudora user who does not hack their ini file, and this includes people who are pretty hapless. I'd be surprised if there was not some equivalent for the mac Eudora folks. So maybe someone who actually has a mac can download the manual and look at it, I can't. I should make it clear that I don't speak for the Eudora folks, I just use the product. By the way, there is a corresponding parameter, SSLSendVersion which controls the encodings used by the smtp connection. If you are setting SSLReceiveVersion to 0 to allow TLS, you probably also want to set SSLSendVersion to 0, so that you use TLS for both connections. -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html
Re: Eudora and ssl/tls and cyrus
Any ideas as to where on the Mac version one would set this? -Jeremy At 12:31 AM -0400 9/28/01, Nick Simicich wrote: At 07:37 PM 9/27/2001 -0400, Nick Simicich wrote: I had actually posted a trace of one of the sessions, extracted from ethereal (before it started working). As you can see, the verb being used in, in fact, STARTSSL. So I am of the opinion I meant to type STARTTLS above, not STARTSSL. Just shoot me now. The final solution was to change a parameter in the eudora.ini file to allow it to negotiate tls. -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html -- Jeremy Beker, Engineering Manager Research Development, RSA Security Condensing fact from the vapor of nuance.
Re: Eudora and ssl/tls and cyrus
On Thu, 27 Sep 2001 01:05:53 -0400, Nick Simicich [EMAIL PROTECTED] (ns) writes: ns I did some searches in the archives. If there is anything similar, ns searching on Eudora and ssl or tls didn't find it. Eudora will not ns complete TLS negotiation with Cyrus. Are you attempting to use the 'alternate port' configuration, or the 'starttls' configuration? I ask because we were able to get the 'alternate port' configuration to work, but not the other. Turns out that Eudora actually tries to do 'startssl' instead of 'starttls'. (No, 'startssl' doesn't exist.) If this sounds like it might be your situation, either use the 'alternate port' or make a small change to the Cyrus code (I forget exactly where) so that it will tolerate this non-standard 'startssl'. I understand this has been reported to Eudora. -- Amos
Re: Eudora and ssl/tls and cyrus
I apologize that this is a FAQ and will now scurry off to recompile. Yep, that does it, it established a sslV3 connection immediately, authenticated without a problem. Are there more Eudora related questions in this 2.1 FAQ? Is it available anywhere? Ah, you said it was available in CVS, I'll try to figure out how to access it, I'm not a CVS maven by any stretch of the imagination, I think I used it from a cookbook once several years ago. I will write a note to their tech support. RFC2246 describes TLS. It looks like the Standards Track RFC that requires TLS for the STARTTLS command is RFC2595, specifically section 2.1, Cipher Suite Requirements. So it looks like they are in violation of 2595. Perhaps the FAQ should be updated to point to 2595, the requirement that TLS is a requirement for implementation of the STARTTLS command is very clear there. At 08:16 AM 9/27/2001 -0400, Ken Murchison wrote: Nick Simicich wrote: I did some searches in the archives. If there is anything similar, searching on Eudora and ssl or tls didn't find it. Eudora will not complete TLS negotiation with Cyrus. I am running Redhat Roswell (the current Redhat Beta, 7.1+) on an Intel box. I am running cyrus-imapd-2.0.15-HIERSEP-r2, and (from the Redhat rpm) openssl-0.9.6b-7. I have generated a server key that works with Eudora 5.1 when I use it to communicate with smtp and Postfix. It is not signed by a known CA but Eudora allows you to trust a particular certificate. smtp goes through the postfix use of the SSL library. However, when I use that same key to connect to imap on the alternate port, things just don't work. The message (from Eudora) is: SSL Negotiation failed: You have configured the personality/protocol to reject any exchange key lengths below 0. But the negotiated exchange key length is -1. Hence this established secure channel is unacceptable. Connection will be dropped. Cause: (-6996) From doc/faq.html in CVS (to be inluded in the 2.1 release): Q: Eudora 5.x can't connect using STARTTLS (SSL Neogotiation Failed). What should I do? A: First, complain to QUALCOMM because their STARTTLS implementation is broken. Eudora doesn't support TLSv1 (per RFC2246) and Cyrus requires it. If you really need this before it is fixed in Eudora, remove or comment out the following lines in tls.c: if (tlsonly) { off |= SSL_OP_NO_SSLv2; off |= SSL_OP_NO_SSLv3; } FYI, I have complained to QUALCOMM with no response. Perhaps if more people complain, they will do something about it. After all, the command IS called STARTTLS and not STARTSSL. -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html
Re: Eudora and ssl/tls and cyrus
At 07:46 AM 9/27/2001 -0500, Amos Gouaux wrote: On Thu, 27 Sep 2001 01:05:53 -0400, Nick Simicich [EMAIL PROTECTED] (ns) writes: ns I did some searches in the archives. If there is anything similar, ns searching on Eudora and ssl or tls didn't find it. Eudora will not ns complete TLS negotiation with Cyrus. Are you attempting to use the 'alternate port' configuration, or the 'starttls' configuration? I ask because we were able to get the 'alternate port' configuration to work, but not the other. Turns out that Eudora actually tries to do 'startssl' instead of 'starttls'. (No, 'startssl' doesn't exist.) I had actually posted a trace of one of the sessions, extracted from ethereal (before it started working). As you can see, the verb being used in, in fact, STARTSSL. So I am of the opinion that if eudora was mistakenly using a STARTSSL verb, that they are now using STARTTLS (and, after that, refusing to actually start a TLS session - when I made the code change to turn not reject negotiation of SSL v2 and V3, it began negotiating a SSL V3 session rather than failing to negotiate a TLS session). But I had actually attempted both the alternate port configuration and the main-port-with-startssl configuration, and they both failed in the same way - it is that Eudora does ot support TLS. I have not looked at the details of the negotiation since examining the differences between SSL V2 and SSL V3 closely when trying to determine why socksified connections to SSL V3 servers sometimes failed while SSL V2 connections always worked (some early SSL V3 implementations could not fallback when the cached secret on the server was not known to the client because it was not, in fact, the same client even though it came from the same IP address, the bypass was, in many cases, to force V2). So I don't know what, if any, advantages there are from forcing TLS, or why someone would not want to go ahead and fall back to SSL V3 other than it adheres to standards. The code change that was suggested to not force TLS but to accept the use of either TLS or SSL V2/V3 allowed things to work. * OK parrot.squawk.com Cyrus IMAP4 v2.0.15-HIERSEP-r2 server ready 0 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 0 OK Completed 1 STARTTLS 1 OK Begin TLS negotiation now Then some binary gets put in here... 1 NO Starttls failed * BAD Invalid tag * BAD Invalid tag and a short binary burst here... If this sounds like it might be your situation, either use the 'alternate port' or make a small change to the Cyrus code (I forget exactly where) so that it will tolerate this non-standard 'startssl'. I understand this has been reported to Eudora. The client that I have had to force to use alternate ports is Lookout. I have not bothered to investigate why in those cases. -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html
Eudora and ssl/tls and cyrus
I just successfully got Eudora to negotiate TLS with Cyrus. This applies to Eudora 5.1. A log extract which shows that I was able to connect in TLS is below --- you will have to trust me that I did it from Eudora. The way to accomplish this is to stop Eudora, and using an editor like emacs or notepad, edit the eudora.ini file. In the [Settings] part of the file, find a entry labeled SSLReceiveVersion If it is there, change the value specified to 0. If it is not there, add a line reading SSLReceiveVersion=0 Then start Eudora again. This parameter defaults to 6, which allows SSL Version 3 only. A setting of 0 allows any of the settings it will speak. 7 forces TLS 1.0, other settings force various other combinations. But 0 makes Eudora permissive and allows it to speak what the other end wants to speak, thus allowing it to use TLS version 1.0. Why Eudora decided to make this parameter default to 6, I have no idea. I believe that this will allow Eudora 5.1 to talk to an unmodified Cyrus. The FAQ should probably be changed to mention this parameter -- and maybe when people contact Eudora it should be to ask that the parameter be changed. Sep 27 22:37:40 parrot master[30495]: about to exec /usr/cyrus/bin/imapd Sep 27 22:37:40 parrot service-imaps[30495]: executed Sep 27 22:37:40 parrot imapd[30495]: accepted connection Sep 27 22:37:44 parrot imapd[30495]: starttls: TLSv1 with cipher DES-CBC3-SHA (1 68/168 bits) no authentication Sep 27 22:37:45 parrot imapd[30495]: login: glock.squawk.com[208.176.124.157] ni ck CRAM-MD5+TLS User logged in Sep 27 22:37:45 parrot imapd[30495]: seen_db: user nick opened /var/imap/user/n/ nick.seen Sep 27 22:37:45 parrot imapd[30495]: open: user nick opened INBOX -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html
Re: Eudora and ssl/tls and cyrus
At 07:37 PM 9/27/2001 -0400, Nick Simicich wrote: I had actually posted a trace of one of the sessions, extracted from ethereal (before it started working). As you can see, the verb being used in, in fact, STARTSSL. So I am of the opinion I meant to type STARTTLS above, not STARTSSL. Just shoot me now. The final solution was to change a parameter in the eudora.ini file to allow it to negotiate tls. -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html
Eudora and ssl/tls and cyrus
I did some searches in the archives. If there is anything similar, searching on Eudora and ssl or tls didn't find it. Eudora will not complete TLS negotiation with Cyrus. I am running Redhat Roswell (the current Redhat Beta, 7.1+) on an Intel box. I am running cyrus-imapd-2.0.15-HIERSEP-r2, and (from the Redhat rpm) openssl-0.9.6b-7. I have generated a server key that works with Eudora 5.1 when I use it to communicate with smtp and Postfix. It is not signed by a known CA but Eudora allows you to trust a particular certificate. smtp goes through the postfix use of the SSL library. However, when I use that same key to connect to imap on the alternate port, things just don't work. The message (from Eudora) is: SSL Negotiation failed: You have configured the personality/protocol to reject any exchange key lengths below 0. But the negotiated exchange key length is -1. Hence this established secure channel is unacceptable. Connection will be dropped. Cause: (-6996) Logged messages are: Sep 27 00:57:28 parrot master[23631]: about to exec /usr/cyrus/bin/imapd Sep 27 00:57:28 parrot service-imap[23631]: executed Sep 27 00:57:28 parrot imapd[23631]: accepted connection Sep 27 00:57:29 parrot imapd[23631]: STARTTLS failed: glock.squawk.com[208.176.1 24.157] Sep 27 00:57:29 parrot master[23188]: process 23631 exited, status 0 A ethereal dump of the interaction between Eudora and Cyrus, which doesn't say much: * OK parrot.squawk.com Cyrus IMAP4 v2.0.15-HIERSEP-r2 server ready 0 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 0 OK Completed 1 STARTTLS 1 OK Begin TLS negotiation now Then some binary gets put in here... 1 NO Starttls failed * BAD Invalid tag * BAD Invalid tag and a short binary burst here... Has anyone actually either (1) seen this message or anything similar or (2) gotten Eudora to work with cyrus imap? Is there new tls stuff that I should be using? -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html