[openssl-dev] [openssl.org #3977] bug report : Ubutu 12.0.4 : Openssl 1.0.1p : allowing connections with EXP cipher

2015-09-01 Thread Emilia Käsper via RT 
Everything seems to be working as intended; closing this ticket.

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3977] bug report : Ubutu 12.0.4 : Openssl 1.0.1p : allowing connections with EXP cipher

2015-08-03 Thread Kurt Roeckx via RT 
On Mon, Aug 03, 2015 at 12:03:26PM +, sandeep umesh via RT wrote:
> I was expecting that openssl will reject connection request with EXP cipher
> which is not happening as seen above.
> Could you please verify this? Thanks

If you configure it to allow export ciphers or ALL, of course it's
going to allow them.  The export ciphers have been removed from
DEFAULT.


Kurt


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3977] bug report : Ubutu 12.0.4 : Openssl 1.0.1p : allowing connections with EXP cipher

2015-08-03 Thread sandeep umesh via RT 
Hi,

I updated openssl version to 1.0.1p (to address logjam) and configured
sendmail.

To verify the logjam fix, I used openssl s_client and connected to the smtp
server.
---
Default log:

$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -cipher EXP
CONNECTED(0003)
140482363598496:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 443 bytes and written 108 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -cipher
EXP-EDH-RSA-DES-CBC-SHA
CONNECTED(0003)
140483069028000:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 443 bytes and written 134 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---




Now, I configured sendmail to set the CIPHER LIST as ALL

$cat /etc/mail/sendmail.cf
.
.
O DHParameters=5
O CipherList=ALL
$

Here, I observe that smtp is allowing connections with
EXP-EDH-RSA-DES-CBC-SHA ciphers
--
Log:
--
$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25
CONNECTED(0003)
depth=1 C = In, ST = Kar, L = Ban, O = IBM, CN = test
verify error:num=19:self signed certificate in certificate chain
verify return:0
140467858261664:error:14082174:SSL
routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3366:
---
Certificate chain
 0 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
   i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
 1 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
   i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
Server certificate
-BEGIN CERTIFICATE-
MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJJbjEM
MAoGA1UECAwDS2FyMQwwCgYDVQQHDANCYW4xDDAKBgNVBAoMA0lCTTENMAsGA1UE
AwwEdGVzdDAeFw0xNTA4MDMxMDM0NDlaFw0xNjA4MDIxMDM0NDlaMEYxCzAJBgNV
BAYTAkluMQwwCgYDVQQIDANLYXIxDDAKBgNVBAcMA0JhbjEMMAoGA1UECgwDSUJN
MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvezpb
zeN3b246bSI240IO2SXjk1IQVCdFY88LDurJPUZ6ifkPXm4XD32HfpXYrCCBYPHz
fw5TjOIbAsyl7qSmeidKExapkvuWOhcnTfUIQabOJ6lJnDtWBRX31SXvP8TyuP7u
qD6sJsSFq2ZhHNqvXcmKlpKMKSPjikB7uatkyQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQULHCyiorz14LsQKUYOpYP2UdtzE8wHwYDVR0jBBgwFoAUVw8ulnsu
iWYgrABr1o8JYlXXFJcwDQYJKoZIhvcNAQEFBQADgYEAj7oMBUwMaheaVo6VgS+r
QyBzfPfZG6npRf65cpn9k5zyEqgn/B+3zFRw3oODo8zkQu3pF3+mOFsdaxsQfuGg
u0aTWSs3EC8dNW4UxfNXIS82PH9cmVSi9go8+2w0InAQF+n13IT87nHDfgPjvZVO
yDjGIxDUqyRCmiWoh8g0LyA=
-END CERTIFICATE-
subject=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
issuer=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
No client certificate CA names sent
---
SSL handshake has read 2040 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1438601133
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
$

$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -cipher
EXP-EDH-RSA-DES-CBC-SHA
CONNECTED(0003)
depth=1 C = In, ST = Kar, L = Ban, O = IBM, CN = test
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
   i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
 1 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
   i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
Server certificate
-BEGIN CERTIFICATE-
MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJJbjEM
MAoGA1UECAwDS2FyMQwwCgYDVQQHDANCYW4xDDAKBgNVBAoMA0lCTTENMAsGA1UE
AwwEdGVzdDAeFw0xNTA4MDMxMDM0NDlaFw0xNjA4MDIxMDM0NDlaMEYxCzAJBgNV
BAYTAkluMQwwCgYDVQQIDANLYXIxDDAKBgNVBAcMA0JhbjEMMAoGA1UECgwDSUJN
MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvezpb
zeN3b246bSI240IO2SXjk1IQVCdFY88LDurJPUZ6ifkPXm4XD32HfpXYrCCBYPHz
fw5TjOIbAsyl7qSmeidKExapkvuWOhcnTfUIQabOJ6lJnDtWBRX31SXvP8TyuP7u
qD6sJsSFq2ZhHNqvXcmKlpKMKSPjikB7uatkyQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQULHCyiorz14LsQKUYOpYP2UdtzE8wHwYDVR0jBBgwFoAUVw8ulnsu
iWYgrABr1o8JYlXXFJcwDQYJKoZIhvcNAQEFBQADgYEAj7oMBUwMaheaVo6VgS+r
QyBzfPfZG6npRf65cpn9k5zyEqgn/B+3zFRw3oODo8zkQu3pF3+mOFsdaxsQfuGg
u0aTWSs3EC8dNW4UxfNXIS82PH9cmVSi9go8+2w0InAQF+n13IT87nHDfgPjvZVO
yDjGIxDUqyRCmiWoh8g0LyA=
-END CERTIFICATE-
subject=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
issuer=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
Acceptable client certificate CA names
/C=In/ST=Kar/L=Ban/O=IBM/CN=