Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Robert Mueller]

> I'm thinking that perhaps your cert is using SHA-(256|512) and
> something better than 3DES for HMAC, and therefore the remote servers
> are unable to work with the certificate as they don't have access to
> the required crypto. I sincerely hope this is not the case, but
> perhaps you can test this by using a certificate signed with "export
> grade" algorithms...


That's not a bad theory. However I just checked, and our cert was
upgraded to sha256 around Dec 2014, but based on our logs, we only had
to introduce the workarounds in Oct 2015, so it doesn't seem related to
the sha1 -> sha256 upgrade of our cert. Also from what I hear from some
others, they don't have problems with a sha256 cert either from the same
hosts we're having problems with.


Rob Mueller

r...@fastmail.fm


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Luis E. Muñoz]

This error seems similar to one we observed earlier in an unrelated 
application.


Long story short, one of our customers' SSL library was rejecting our 
certificates  with vague certificate errors. The culprit was that the 
client SSL library was configured to honor the historic export 
restrictions and considered the combination of algorithms we were using 
for HMAC, invalid. Once the client upgraded his SSL config to allow all 
algorithms, the certificates were accepted and TLS connections were 
happy again.


I'm thinking that perhaps your cert is using SHA-(256|512) and something 
better than 3DES for HMAC, and therefore the remote servers are unable 
to work with the certificate as they don't have access to the required 
crypto. I sincerely hope this is not the case, but perhaps you can test 
this by using a certificate signed with "export grade" algorithms...


Best regards

-lem


On 9 Jan 2017, at 16:04, Robert Mueller wrote:


 You may want to use this tool on your mail server(so it picks up the
same openssl version) to check what cyphers the mil server accepts:
https://testssl.sh/




I'm not sure how this would help. The problem occurs with them trying 
to
send mail to us. I know what ciphers we offer, what I don't know is 
what

they don't like about our cipher list. Sure I can use this script to
connect back to them to see what they're incoming servers accept, but 
we

don't have a problem with that, it's only when they connect to us that
they bail out with the "Certificate rejected over TLS" error.


Also based on what I've heard from others, they're quite happy to
connect to other servers with a secure TLSv1.2 cipher, one that we
actually offer. So why are they failing to use that cipher when
connecting to us? The client gets to choose, so the only thing I can
think of is they're trying to connect with a weaker cipher first, 
seeing
we accept, and then aborting any attempt to send us email at all. 
Sounds

very strange.


Hmmm, "Certificate rejected"... that doesn't sound like a cipher error
either does it. Of course, you never can be sure with error messages,
though I wonder if they just don't like wildcard certificates or
something like that?


More likely, there's some subtle protocol level incompatibility going 
on

somewhere that's going to be painful to debug.


Rob Mueller

r...@fastmail.fm




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Franck Martin via mailop]

You may want to use this tool on your mail server(so it picks up the same
openssl version) to check what cyphers the mil server accepts:
https://testssl.sh/

Beware, I believe one connection is open for each cypher tested, the client
offers only one cypher and see if the connection completes...



On Mon, Jan 9, 2017 at 6:48 AM, Graeme Fowler 
wrote:

> On 9 Jan 2017, at 14:08, Franck Martin via mailop 
> wrote:
>
> Often, it is a problem of finding an acceptable cypher to both parties...
>
>
> ...after...
>
> On Mon, Jan 9, 2017 at 4:21 AM, Robert Mueller  wrote:
>>
>> So it turns out we'd actually encountered this problem before (Oct
>> 2015), and had put a work around in place at the time. It appears that
>> us.af.mil servers were having problems connecting to our postfix
>> instances and at the time couldn't work out what the obvious reason was
>> so I had added this to our postfix config.
>
>
> They're finding a cipher they don't like - so far as I can ascertain, your
> host is offering an RC4 based cipher. If they're .mil, as you mention, then
> their cipher compatibility list will likely be small and hard (so to
> speak). I can't speak for why they'd not connect to you as a result, that's
> up to them.
>
> https://ssl-tools.net/mailservers/mx1.messagingengine.com
>
> Graeme
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Graeme Fowler]

On 9 Jan 2017, at 14:08, Franck Martin via mailop  wrote:
> Often, it is a problem of finding an acceptable cypher to both parties...

...after...

> On Mon, Jan 9, 2017 at 4:21 AM, Robert Mueller  > wrote:
> So it turns out we'd actually encountered this problem before (Oct
> 2015), and had put a work around in place at the time. It appears that
> us.af.mil  servers were having problems connecting to our 
> postfix
> instances and at the time couldn't work out what the obvious reason was
> so I had added this to our postfix config.

They're finding a cipher they don't like - so far as I can ascertain, your host 
is offering an RC4 based cipher. If they're .mil, as you mention, then their 
cipher compatibility list will likely be small and hard (so to speak). I can't 
speak for why they'd not connect to you as a result, that's up to them.

https://ssl-tools.net/mailservers/mx1.messagingengine.com 


Graeme___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Franck Martin via mailop]

The negotiation of STARTTLS is done in clear, so a packet capture will tell
you where the problem is... Wireshark usually explains well what options
are in the packets...

Often, it is a problem of finding an acceptable cypher to both parties...

Finally, make sure your firewall is not messing up with SMTP packets...

On Mon, Jan 9, 2017 at 4:21 AM, Robert Mueller  wrote:

>
> > We've suddenly had a couple of reports from users about people sending
> > to them (e.g. sending from a remote service to our servers) failing and
> > bouncing with the error message:
> >
> > Certificate rejected over TLS. (unknown protocol)
>
> Just to update with more information.
>
> So it turns out we'd actually encountered this problem before (Oct
> 2015), and had put a work around in place at the time. It appears that
> us.af.mil servers were having problems connecting to our postfix
> instances and at the time couldn't work out what the obvious reason was
> so I had added this to our postfix config.
>
> main.cf
> ...
> # Disable starttls for some problematic hosts
> smtpd_discard_ehlo_keyword_address_maps =
> cidr:/etc/postfix/access_client-helo_keyword.cidr
>
> access_client-helo_keyword.cidr
> # us.af.mil has TLS problems. IPs taken from SPF record (e.g. dig
> us.af.mil TXT)
> 132.3.0.0/16 starttls
> ...
> 131.15.70.0/24 starttls
>
> It appears recently they must have added additional servers, since their
> SPF records have changed. Adding these:
>
> +131.9.253.0/24 starttls
> +131.27.1.0/24 starttls
>
> Fixed the problem.
>
> Ideally I'd like to actually work out what's causing the sending servers
> to fail with our TLS configuration, but it's a bit of work I haven't had
> time for, thus this work around for now.
>
> --
> Rob Mueller
> r...@fastmail.fm
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Robert Mueller]

> We've suddenly had a couple of reports from users about people sending
> to them (e.g. sending from a remote service to our servers) failing and
> bouncing with the error message:
> 
> Certificate rejected over TLS. (unknown protocol)

Just to update with more information.

So it turns out we'd actually encountered this problem before (Oct
2015), and had put a work around in place at the time. It appears that
us.af.mil servers were having problems connecting to our postfix
instances and at the time couldn't work out what the obvious reason was
so I had added this to our postfix config.

main.cf
...
# Disable starttls for some problematic hosts
smtpd_discard_ehlo_keyword_address_maps =
cidr:/etc/postfix/access_client-helo_keyword.cidr

access_client-helo_keyword.cidr
# us.af.mil has TLS problems. IPs taken from SPF record (e.g. dig
us.af.mil TXT)
132.3.0.0/16 starttls
...
131.15.70.0/24 starttls

It appears recently they must have added additional servers, since their
SPF records have changed. Adding these:

+131.9.253.0/24 starttls
+131.27.1.0/24 starttls

Fixed the problem.

Ideally I'd like to actually work out what's causing the sending servers
to fail with our TLS configuration, but it's a bit of work I haven't had
time for, thus this work around for now.

-- 
Rob Mueller
r...@fastmail.fm

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Trying to work out cause of "Certificate rejected over TLS. (unknown protocol)" error

[Ken O'Driscoll]

Hi Rob,

Without seeing further info my first guess is the sending MTA is forcing an
encryption protocol (like SSLv3) which your endpoint doesn't support. 

Ken.

-- 
Ken O'Driscoll / We Monitor Email
t: +353 1 254 9400 | w: www.wemonitoremail.com

On Thu, 2017-01-05 at 20:51 +1100, Robert Mueller wrote:
> We've suddenly had a couple of reports from users about people sending
> to them (e.g. sending from a remote service to our servers) failing and
> bouncing with the error message:
> 
> Certificate rejected over TLS. (unknown protocol)
[...snip...]

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop