Debian Bug report logs -
#838765
openssl: Last upgrade broke TLS for Outlook under XP
Reported by: "DaB." <debian@daniel.baur4.info>
Date: Sat, 24 Sep 2016 14:33:02 UTC
Severity: normal
Found in version openssl/1.0.1t-1+deb8u4
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#838765
; Package openssl
.
(Sat, 24 Sep 2016 14:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "DaB." <debian@daniel.baur4.info>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 24 Sep 2016 14:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 1.0.1t-1+deb8u4
Severity: normal
Dear Maintainer,
tonights update of OpenSSL (1.0.1t-1+deb8u3, 1.0.1t-1+deb8u4) broke the
connection between an Outlook 2007 (12.0.6744.500) under Windows XP and
a postfix under Debian.
See the following log of a connection-try:
-- beginn ---
Sep 23 11:26:42 hermes postfix/smtpd[30240]: setting up TLS connection from
X.Y.Z.invalid[10.X.Y.Z]
Sep 23 11:26:42 hermes postfix/smtpd[30240]:
X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:before/accept
initialization
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL3 alert
write:fatal:handshake failure
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:error in error
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:error in error
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept error from
X.Y.Z.invalid[10.X.Y.Z]: -1
Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1440:
Sep 23 11:26:42 hermes postfix/smtpd[30240]: lost connection after STARTTLS
from X.Y.Z.invalid[10.X.Y.Z]
-- end ---
The connection worked fine yesterday and no change was done at Outlook or
Postfix.
The TSL-config in postfix is the following (shortened):
-- beginn ---
smtpd_use_tls=yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = medium
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
smtpd_tls_eecdh_grade = strong
-- end ---
Of course I’m willing to submit further information if needed.
Sincererly,
DaB.
-- System Information:
Debian Release: 8.4
APT prefers oldstable
APT policy: (900, 'oldstable'), (400, 'stable'), (301, 'oldoldstable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)
Versions of packages openssl depends on:
ii libc6 2.19-18+deb8u4
ii libssl1.0.0 1.0.1t-1+deb8u4
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119+deb7u1
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#838765
; Package openssl
.
(Sat, 24 Sep 2016 15:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 24 Sep 2016 15:30:03 GMT) (full text, mbox, link).
Message #10 received at 838765@bugs.debian.org (full text, mbox, reply):
On Fri, Sep 23, 2016 at 12:57:13PM +0000, DaB. wrote:
> X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
> "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
[...]
> Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:1440:
With those settings that's expected.
XP only supports RC4 and 3DES, and you should stop using them,
just like you should stop using XP.
We just moved 3DES from HIGH to MEDIUM because of the sweet32
attack. RC4 was already moved to MEDIUM in the past.
You have an "!MEDIUM" there that removes both of them, without
having a possiblity to readd them. The "+RC4" isn't even doing
anything. You probably want to remove that "!MEDIUM", since you
clearly need them.
Kurt
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
You have taken responsibility.
(Mon, 17 Oct 2016 20:03:07 GMT) (full text, mbox, link).
Notification sent
to "DaB." <debian@daniel.baur4.info>
:
Bug acknowledged by developer.
(Mon, 17 Oct 2016 20:03:07 GMT) (full text, mbox, link).
Message #15 received at 838765-done@bugs.debian.org (full text, mbox, reply):
On 2016-09-24 17:26:30 [+0200], Kurt Roeckx wrote:
> On Fri, Sep 23, 2016 at 12:57:13PM +0000, DaB. wrote:
> > X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
> > "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
> [...]
> > Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
> > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> > cipher:s3_srvr.c:1440:
>
> With those settings that's expected.
closing since it is not an openssl bug but openssl addressing sweet32
(and moving 3des from high to medium class).
Sebastian
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 15 Nov 2016 07:26:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Apr 24 07:25:24 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.