thr3ads.net - dovecot - confused with ssl settings and some error

If this information is useful, please help other people find it:
Share via:

Aki Tuomi

2017-Apr-30 07:11 UTC

confused with ssl settings and some error - need help

What kind of test are you running?

Aki
> On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at poliman.pl>
wrote:
> 
> 
> I turned of ssl_cipher_list in dovecot.conf file (so it's default) but
test
> still gives errors:
> Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
> error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> 
> 
> 2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at poliman.pl>:
> 
> > Cipher list which You post provide better compatibility or security
than
> > those which I currently have?
> > On older software version these cipher list works well and not
generate
> > any errors when I run Internal PCI scan test from
> > https://cloud.tenable.com for another server. But for new server with
> > newer software during test I got errors in mail.err.
> >
> > 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >
> >>
> >> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at
poliman.pl>
> >> wrote:
> >> >
> >> >
> >> > Thank You for answers. But:
> >> > 1. How should be properly configured ssl_cipher_list?
> >>
> >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU
> >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
> >>
> >> To disable non-EC DH, use:
> >>
> >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:
> >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at
STRENGTH
> >>
> >> > 2. Ok, removed !TLSv1 !TLSv1.1.
> >> > 3. Strange thing with ssl_protocols and ssl_cipher_list,
because on
> >> older
> >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0
these two
> >> > lines looks exactly this same and no errors in mail.err file
and mailes
> >> > works without any problem.
> >> > 4. No, currently I don't use LMTP.
> >>
> >> it is possible that postfix is not causing this error.
> >>
> >> >
> >> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at
dovecot.fi>:
> >> >
> >> > >
> >> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis
<serwis at poliman.pl>
> >> wrote:
> >> > > >
> >> > > >
> >> > > > Hi,
> >> > > > To default dovecot.conf file I added (based on
found documentation):
> >> > > > ssl = required
> >> > > > disable_plaintext_auth = yes     #change default
'no' to 'yes'
> >> > > > ssl_prefer_server_ciphers = yes
> >> > > > ssl_options = no_compression
> >> > > > ssl_dh_parameters_length = 2048
> >> > > > ssl_cipher_list > >> > > >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >> > >
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >> > >
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >> > >
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >> > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >> > >
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >> > >
RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >> > > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >> > > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >> > > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> >> > > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> >> > > CBC3-SHA:!KRB5-DES-CBC3-SHA
> >> > > >
> >> > >
> >> > > This looks rather cumbersome way to define ciphers.
> >> > >
> >> > > > 1. Are these settings good or can be improved?
> >> > > > 2. Is this line proper:
> >> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >> > >
> >> > > Well if you only want to support TLSv1.2, which might
lead into
> >> trouble.
> >> > >
> >> > > > or maybe should be:
> >> > > > ssl_protocols = !SSLv2 !SSLv3
> >> > > > 3. Last thing. I have below errors (they appear in
loop in mail.err
> >> log
> >> > > > file):
> >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login:
Error: SSL: Stacked
> >> error:
> >> > > > error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login:
Error: SSL: Stacked
> >> error:
> >> > > > error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version
> >> number
> >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login:
Error: SSL: Stacked
> >> error:
> >> > > > error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed or
> >> bad
> >> > > record
> >> > > > mac
> >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login:
Error: SSL: Stacked
> >> error:
> >> > > > error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
> >> > >
> >> > > This means your client did not support your enabled
ciphers.
> >> > >
> >> > > >
> >> > > > When I setup in postfix main.cf file (other lines
default):
> >> > > > tls_ssl_options = no_ticket, no_compression
> >> > > > tls_preempt_cipherlist = yes
> >> > > > smtpd_sasl_security_options=noanonymous,noplaintext
> >> > > >
smtpd_sasl_tls_security_options=noanonymous,noplaintext
> >> > > > smtpd_tls_mandatory_ciphers = high
> >> > > > smtpd_tls_dh1024_param_file =
/etc/postfix/dh2048.pem
> >> > > > #instead of below I tried
smtpd_tls_mandatory_exclude_ciphers but I
> >> > > don't
> >> > > > know what should be setup
> >> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT,
DES, RC4, MD5,
> >> PSK,
> >> > > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
> >> > > ECDHE-RSA-DES-CBC3-SHA,
> >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> >> > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT,
DES, RC4, MD5, PSK,
> >> > > aECDH,
> >> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
ECDHE-RSA-DES-CBC3-SHA,
> >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> >> > > >
> >> > > > Is between dovecot and postfix some communication
using above
> >> ciphers or
> >> > > > something that generate that errors in log or maybe
some public
> >> client
> >> > > try
> >> > > > connect and can't establish connection?
> >> > > >
> >> > >
> >> > > If you are using LMTP, then some of those settings will
cause changes
> >> in
> >> > > how LMTP works as well.
> >> > >
> >> > >
> >> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and
dovecot 2.2.22 and
> >> openssl
> >> > > > 1.0.2k.
> >> > > > --
> >> > > >
> >> > > > *Pozdrawiam / Best Regards*
> >> > > > *Piotr Bracha*
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > *tel. 534 555 877*
> >> > > >
> >> > > > *serwis at poliman.pl <serwis at poliman.pl>*
> >> > >
> >> > > Aki
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> >
> >> > *Pozdrawiam / Best Regards*
> >> > *Piotr Bracha*
> >> >
> >> >
> >> >
> >> >
> >> > *tel. 534 555 877*
> >> >
> >> > *serwis at poliman.pl <serwis at poliman.pl>*
> >>
> >
> >
> >
> > --
> >
> > *Pozdrawiam / Best Regards*
> > *Piotr Bracha*
> >
> >
> >
> >
> > *tel. 534 555 877*
> >
> > *serwis at poliman.pl <serwis at poliman.pl>*
> >
> 
> 
> 
> -- 
> 
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
> 
> 
> 
> 
> *tel. 534 555 877*
> 
> *serwis at poliman.pl <serwis at poliman.pl>*

Poliman - Serwis

2017-May-05 05:21 UTC

head link

confused with ssl settings and some error - need help

Internal PCI Scan on Tenable.io website. Of course after register account.

2017-04-30 9:11 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> What kind of test are you running?
>
> Aki
>
> > On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at
poliman.pl>
> wrote:
> >
> >
> > I turned of ssl_cipher_list in dovecot.conf file (so it's default)
but
> test
> > still gives errors:
> > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> > Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac
> > Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac
> > Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac
> > Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac
> > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> > Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> >
> >
> > 2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at
poliman.pl>:
> >
> > > Cipher list which You post provide better compatibility or
security
> than
> > > those which I currently have?
> > > On older software version these cipher list works well and not
generate
> > > any errors when I run Internal PCI scan test from
> > > https://cloud.tenable.com for another server. But for new server
with
> > > newer software during test I got errors in mail.err.
> > >
> > > 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at
dovecot.fi>:
> > >
> > >>
> > >> > On April 27, 2017 at 10:55 AM Poliman - Serwis
<serwis at poliman.pl>
> > >> wrote:
> > >> >
> > >> >
> > >> > Thank You for answers. But:
> > >> > 1. How should be properly configured ssl_cipher_list?
> > >>
> > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU
> > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at
STRENGTH
> > >>
> > >> To disable non-EC DH, use:
> > >>
> > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:
> > >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at
STRENGTH
> > >>
> > >> > 2. Ok, removed !TLSv1 !TLSv1.1.
> > >> > 3. Strange thing with ssl_protocols and ssl_cipher_list,
because on
> > >> older
> > >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix
2.11.0 these
> two
> > >> > lines looks exactly this same and no errors in mail.err
file and
> mailes
> > >> > works without any problem.
> > >> > 4. No, currently I don't use LMTP.
> > >>
> > >> it is possible that postfix is not causing this error.
> > >>
> > >> >
> > >> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at
dovecot.fi>:
> > >> >
> > >> > >
> > >> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis
<
> serwis at poliman.pl>
> > >> wrote:
> > >> > > >
> > >> > > >
> > >> > > > Hi,
> > >> > > > To default dovecot.conf file I added (based on
found
> documentation):
> > >> > > > ssl = required
> > >> > > > disable_plaintext_auth = yes     #change
default 'no' to 'yes'
> > >> > > > ssl_prefer_server_ciphers = yes
> > >> > > > ssl_options = no_compression
> > >> > > > ssl_dh_parameters_length = 2048
> > >> > > > ssl_cipher_list > > >> > >
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> > >> > >
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> > >> > >
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> > >> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> > >> > >
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> > >> > >
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> > >> > >
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> > >> > >
RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> > >> > >
DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> > >> > >
AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> > >> > >
SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> > >> > >
RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> > >> > > CBC3-SHA:!KRB5-DES-CBC3-SHA
> > >> > > >
> > >> > >
> > >> > > This looks rather cumbersome way to define ciphers.
> > >> > >
> > >> > > > 1. Are these settings good or can be improved?
> > >> > > > 2. Is this line proper:
> > >> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> > >> > >
> > >> > > Well if you only want to support TLSv1.2, which
might lead into
> > >> trouble.
> > >> > >
> > >> > > > or maybe should be:
> > >> > > > ssl_protocols = !SSLv2 !SSLv3
> > >> > > > 3. Last thing. I have below errors (they
appear in loop in
> mail.err
> > >> log
> > >> > > > file):
> > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login:
Error: SSL:
> Stacked
> > >> error:
> > >> > > > error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol
> > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login:
Error: SSL:
> Stacked
> > >> error:
> > >> > > > error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version
> > >> number
> > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login:
Error: SSL:
> Stacked
> > >> error:
> > >> > > > error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed
> or
> > >> bad
> > >> > > record
> > >> > > > mac
> > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login:
Error: SSL:
> Stacked
> > >> error:
> > >> > > > error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared
> cipher
> > >> > >
> > >> > > This means your client did not support your enabled
ciphers.
> > >> > >
> > >> > > >
> > >> > > > When I setup in postfix main.cf file (other
lines default):
> > >> > > > tls_ssl_options = no_ticket, no_compression
> > >> > > > tls_preempt_cipherlist = yes
> > >> > > >
smtpd_sasl_security_options=noanonymous,noplaintext
> > >> > > >
smtpd_sasl_tls_security_options=noanonymous,noplaintext
> > >> > > > smtpd_tls_mandatory_ciphers = high
> > >> > > > smtpd_tls_dh1024_param_file =
/etc/postfix/dh2048.pem
> > >> > > > #instead of below I tried
smtpd_tls_mandatory_exclude_ciphers
> but I
> > >> > > don't
> > >> > > > know what should be setup
> > >> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL,
EXPORT, DES, RC4, MD5,
> > >> PSK,
> > >> > > > aECDH, EDH-DSS-DES-CBC3-SHA,
EDH-RSA-DES-CBC3-SHA,
> > >> > > ECDHE-RSA-DES-CBC3-SHA,
> > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA,
ECDHE-RSA-RC4-SHA
> > >> > > > smtp_tls_exclude_ciphers = aNULL, eNULL,
EXPORT, DES, RC4, MD5,
> PSK,
> > >> > > aECDH,
> > >> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
> ECDHE-RSA-DES-CBC3-SHA,
> > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA,
ECDHE-RSA-RC4-SHA
> > >> > > >
> > >> > > > Is between dovecot and postfix some
communication using above
> > >> ciphers or
> > >> > > > something that generate that errors in log or
maybe some public
> > >> client
> > >> > > try
> > >> > > > connect and can't establish connection?
> > >> > > >
> > >> > >
> > >> > > If you are using LMTP, then some of those settings
will cause
> changes
> > >> in
> > >> > > how LMTP works as well.
> > >> > >
> > >> > >
> > >> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and
dovecot 2.2.22 and
> > >> openssl
> > >> > > > 1.0.2k.
> > >> > > > --
> > >> > > >
> > >> > > > *Pozdrawiam / Best Regards*
> > >> > > > *Piotr Bracha*
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > *tel. 534 555 877*
> > >> > > >
> > >> > > > *serwis at poliman.pl <serwis at
poliman.pl>*
> > >> > >
> > >> > > Aki
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> >
> > >> > *Pozdrawiam / Best Regards*
> > >> > *Piotr Bracha*
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > *tel. 534 555 877*
> > >> >
> > >> > *serwis at poliman.pl <serwis at poliman.pl>*
> > >>
> > >
> > >
> > >
> > > --
> > >
> > > *Pozdrawiam / Best Regards*
> > > *Piotr Bracha*
> > >
> > >
> > >
> > >
> > > *tel. 534 555 877*
> > >
> > > *serwis at poliman.pl <serwis at poliman.pl>*
> > >
> >
> >
> >
> > --
> >
> > *Pozdrawiam / Best Regards*
> > *Piotr Bracha*
> >
> >
> >
> >
> > *tel. 534 555 877*
> >
> > *serwis at poliman.pl <serwis at poliman.pl>*
>


-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*

Aki Tuomi

2017-May-09 17:34 UTC

head link

confused with ssl settings and some error - need help

Then it's rather expected that you'll get some TLS errors, especially
when tenable.io tests for algorithms to see which ones work and which ones wont.

Aki
> On May 5, 2017 at 8:21 AM Poliman - Serwis <serwis at poliman.pl>
wrote:
> 
> 
> Internal PCI Scan on Tenable.io website. Of course after register account.
> 
> 2017-04-30 9:11 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> 
> > What kind of test are you running?
> >
> > Aki
> >
> > > On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at
poliman.pl>
> > wrote:
> > >
> > >
> > > I turned of ssl_cipher_list in dovecot.conf file (so it's
default) but
> > test
> > > still gives errors:
> > > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
> > > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
> > > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number
> > > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number
> > > Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad
> > record
> > > mac
> > > Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad
> > record
> > > mac
> > > Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad
> > record
> > > mac
> > > Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad
> > record
> > > mac
> > > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> > > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> > > Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked
error:
> > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
> > >
> > >
> > > 2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at
poliman.pl>:
> > >
> > > > Cipher list which You post provide better compatibility or
security
> > than
> > > > those which I currently have?
> > > > On older software version these cipher list works well and
not generate
> > > > any errors when I run Internal PCI scan test from
> > > > https://cloud.tenable.com for another server. But for new
server with
> > > > newer software during test I got errors in mail.err.
> > > >
> > > > 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at
dovecot.fi>:
> > > >
> > > >>
> > > >> > On April 27, 2017 at 10:55 AM Poliman - Serwis
<serwis at poliman.pl>
> > > >> wrote:
> > > >> >
> > > >> >
> > > >> > Thank You for answers. But:
> > > >> > 1. How should be properly configured
ssl_cipher_list?
> > > >>
> > > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU
> > > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at
STRENGTH
> > > >>
> > > >> To disable non-EC DH, use:
> > > >>
> > > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:
> > > >>
!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
> > > >>
> > > >> > 2. Ok, removed !TLSv1 !TLSv1.1.
> > > >> > 3. Strange thing with ssl_protocols and
ssl_cipher_list, because on
> > > >> older
> > > >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and
postfix 2.11.0 these
> > two
> > > >> > lines looks exactly this same and no errors in
mail.err file and
> > mailes
> > > >> > works without any problem.
> > > >> > 4. No, currently I don't use LMTP.
> > > >>
> > > >> it is possible that postfix is not causing this error.
> > > >>
> > > >> >
> > > >> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi
at dovecot.fi>:
> > > >> >
> > > >> > >
> > > >> > > > On April 27, 2017 at 8:12 AM Poliman -
Serwis <
> > serwis at poliman.pl>
> > > >> wrote:
> > > >> > > >
> > > >> > > >
> > > >> > > > Hi,
> > > >> > > > To default dovecot.conf file I added
(based on found
> > documentation):
> > > >> > > > ssl = required
> > > >> > > > disable_plaintext_auth = yes     #change
default 'no' to 'yes'
> > > >> > > > ssl_prefer_server_ciphers = yes
> > > >> > > > ssl_options = no_compression
> > > >> > > > ssl_dh_parameters_length = 2048
> > > >> > > > ssl_cipher_list > > > >>
> > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> > > >> > >
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> > > >> > >
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> > > >> > >
AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> > > >> > >
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> > > >> > >
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> > > >> > >
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> > > >> > >
RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> > > >> > >
DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> > > >> > >
AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> > > >> > >
SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> > > >> > >
RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> > > >> > > CBC3-SHA:!KRB5-DES-CBC3-SHA
> > > >> > > >
> > > >> > >
> > > >> > > This looks rather cumbersome way to define
ciphers.
> > > >> > >
> > > >> > > > 1. Are these settings good or can be
improved?
> > > >> > > > 2. Is this line proper:
> > > >> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1
!TLSv1.1
> > > >> > >
> > > >> > > Well if you only want to support TLSv1.2,
which might lead into
> > > >> trouble.
> > > >> > >
> > > >> > > > or maybe should be:
> > > >> > > > ssl_protocols = !SSLv2 !SSLv3
> > > >> > > > 3. Last thing. I have below errors (they
appear in loop in
> > mail.err
> > > >> log
> > > >> > > > file):
> > > >> > > > #Apr 25 14:08:09 serwer-1 dovecot:
imap-login: Error: SSL:
> > Stacked
> > > >> error:
> > > >> > > > error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown
> > protocol
> > > >> > > > #Apr 25 14:08:09 serwer-1 dovecot:
imap-login: Error: SSL:
> > Stacked
> > > >> error:
> > > >> > > > error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version
> > > >> number
> > > >> > > > #Apr 25 14:08:51 serwer-1 dovecot:
imap-login: Error: SSL:
> > Stacked
> > > >> error:
> > > >> > > > error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed
> > or
> > > >> bad
> > > >> > > record
> > > >> > > > mac
> > > >> > > > #Apr 25 14:08:51 serwer-1 dovecot:
imap-login: Error: SSL:
> > Stacked
> > > >> error:
> > > >> > > > error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared
> > cipher
> > > >> > >
> > > >> > > This means your client did not support your
enabled ciphers.
> > > >> > >
> > > >> > > >
> > > >> > > > When I setup in postfix main.cf file
(other lines default):
> > > >> > > > tls_ssl_options = no_ticket,
no_compression
> > > >> > > > tls_preempt_cipherlist = yes
> > > >> > > >
smtpd_sasl_security_options=noanonymous,noplaintext
> > > >> > > >
smtpd_sasl_tls_security_options=noanonymous,noplaintext
> > > >> > > > smtpd_tls_mandatory_ciphers = high
> > > >> > > > smtpd_tls_dh1024_param_file =
/etc/postfix/dh2048.pem
> > > >> > > > #instead of below I tried
smtpd_tls_mandatory_exclude_ciphers
> > but I
> > > >> > > don't
> > > >> > > > know what should be setup
> > > >> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL,
EXPORT, DES, RC4, MD5,
> > > >> PSK,
> > > >> > > > aECDH, EDH-DSS-DES-CBC3-SHA,
EDH-RSA-DES-CBC3-SHA,
> > > >> > > ECDHE-RSA-DES-CBC3-SHA,
> > > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA,
ECDHE-RSA-RC4-SHA
> > > >> > > > smtp_tls_exclude_ciphers = aNULL, eNULL,
EXPORT, DES, RC4, MD5,
> > PSK,
> > > >> > > aECDH,
> > > >> > > > EDH-DSS-DES-CBC3-SHA,
EDH-RSA-DES-CBC3-SHA,
> > ECDHE-RSA-DES-CBC3-SHA,
> > > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA,
ECDHE-RSA-RC4-SHA
> > > >> > > >
> > > >> > > > Is between dovecot and postfix some
communication using above
> > > >> ciphers or
> > > >> > > > something that generate that errors in
log or maybe some public
> > > >> client
> > > >> > > try
> > > >> > > > connect and can't establish
connection?
> > > >> > > >
> > > >> > >
> > > >> > > If you are using LMTP, then some of those
settings will cause
> > changes
> > > >> in
> > > >> > > how LMTP works as well.
> > > >> > >
> > > >> > >
> > > >> > > > Server with Ubuntu 16.04 LTS, postfix 3.1
and dovecot 2.2.22 and
> > > >> openssl
> > > >> > > > 1.0.2k.
> > > >> > > > --
> > > >> > > >
> > > >> > > > *Pozdrawiam / Best Regards*
> > > >> > > > *Piotr Bracha*
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > *tel. 534 555 877*
> > > >> > > >
> > > >> > > > *serwis at poliman.pl <serwis at
poliman.pl>*
> > > >> > >
> > > >> > > Aki
> > > >> > >
> > > >> >
> > > >> >
> > > >> >
> > > >> > --
> > > >> >
> > > >> > *Pozdrawiam / Best Regards*
> > > >> > *Piotr Bracha*
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> > *tel. 534 555 877*
> > > >> >
> > > >> > *serwis at poliman.pl <serwis at poliman.pl>*
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > *Pozdrawiam / Best Regards*
> > > > *Piotr Bracha*
> > > >
> > > >
> > > >
> > > >
> > > > *tel. 534 555 877*
> > > >
> > > > *serwis at poliman.pl <serwis at poliman.pl>*
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > *Pozdrawiam / Best Regards*
> > > *Piotr Bracha*
> > >
> > >
> > >
> > >
> > > *tel. 534 555 877*
> > >
> > > *serwis at poliman.pl <serwis at poliman.pl>*
> >
> 
> 
> 
> -- 
> 
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
> 
> 
> 
> 
> *tel. 534 555 877*
> 
> *serwis at poliman.pl <serwis at poliman.pl>*

Reasonably Related Threads

Search for more maybe matching threads

dovecot - May 2017 - confused with ssl settings and some error - need help

confused with ssl settings and some error - need help

confused with ssl settings and some error - need help

confused with ssl settings and some error - need help

Reasonably Related Threads