Debian Bug report logs - #838765
openssl: Last upgrade broke TLS for Outlook under XP

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>; Source for openssl is src:openssl (PTS, buildd, popcon).

Reported by: "DaB." <debian@daniel.baur4.info>

Date: Sat, 24 Sep 2016 14:33:02 UTC

Severity: normal

Found in version openssl/1.0.1t-1+deb8u4

Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#838765; Package openssl. (Sat, 24 Sep 2016 14:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to "DaB." <debian@daniel.baur4.info>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 24 Sep 2016 14:33:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "DaB." <debian@daniel.baur4.info>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssl: Last upgrade broke TLS for Outlook under XP
Date: Fri, 23 Sep 2016 12:57:13 +0000
Package: openssl
Version: 1.0.1t-1+deb8u4
Severity: normal

Dear Maintainer,

tonights update of OpenSSL (1.0.1t-1+deb8u3, 1.0.1t-1+deb8u4) broke the
connection between an Outlook 2007 (12.0.6744.500) under Windows XP and 
a postfix under Debian.

See the following log of a connection-try:

-- beginn ---

Sep 23 11:26:42 hermes postfix/smtpd[30240]: setting up TLS connection from
X.Y.Z.invalid[10.X.Y.Z]
Sep 23 11:26:42 hermes postfix/smtpd[30240]:
X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:before/accept
initialization
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL3 alert
write:fatal:handshake failure
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:error in error
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:error in error
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept error from
X.Y.Z.invalid[10.X.Y.Z]: -1
Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1440:
Sep 23 11:26:42 hermes postfix/smtpd[30240]: lost connection after STARTTLS
from X.Y.Z.invalid[10.X.Y.Z]

-- end ---

The connection worked fine yesterday and no change was done at Outlook or
Postfix.

The TSL-config in postfix is the following (shortened):

-- beginn ---

smtpd_use_tls=yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3

tls_preempt_cipherlist      = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers           = medium

smtp_tls_mandatory_ciphers  = $smtpd_tls_mandatory_ciphers
smtp_tls_ciphers            = $smtpd_tls_ciphers

smtpd_tls_eecdh_grade = strong

-- end ---


Of course I’m willing to submit further information if needed.

Sincererly,
DaB.

-- System Information:
Debian Release: 8.4
  APT prefers oldstable
  APT policy: (900, 'oldstable'), (400, 'stable'), (301, 'oldoldstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages openssl depends on:
ii  libc6        2.19-18+deb8u4
ii  libssl1.0.0  1.0.1t-1+deb8u4

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20130119+deb7u1

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#838765; Package openssl. (Sat, 24 Sep 2016 15:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 24 Sep 2016 15:30:03 GMT) (full text, mbox, link).

Message #10 received at 838765@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: "DaB." <debian@daniel.baur4.info>, 838765@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#838765: openssl: Last upgrade broke TLS for Outlook under XP
Date: Sat, 24 Sep 2016 17:26:30 +0200
On Fri, Sep 23, 2016 at 12:57:13PM +0000, DaB. wrote:
> X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
> "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
[...]
> Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:1440:

With those settings that's expected.

XP only supports RC4 and 3DES, and you should stop using them,
just like you should stop using XP.

We just moved 3DES from HIGH to MEDIUM because of the sweet32
attack. RC4 was already moved to MEDIUM in the past.

You have an "!MEDIUM" there that removes both of them, without
having a possiblity to readd them. The "+RC4" isn't even doing
anything. You probably want to remove that "!MEDIUM", since you
clearly need them.


Kurt

Reply sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility. (Mon, 17 Oct 2016 20:03:07 GMT) (full text, mbox, link).

Notification sent to "DaB." <debian@daniel.baur4.info>:
Bug acknowledged by developer. (Mon, 17 Oct 2016 20:03:07 GMT) (full text, mbox, link).

Message #15 received at 838765-done@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Kurt Roeckx <kurt@roeckx.be>, 838765-done@bugs.debian.org
Cc: "DaB." <debian@daniel.baur4.info>
Subject: Re: [Pkg-openssl-devel] Bug#838765: Bug#838765: openssl: Last upgrade broke TLS for Outlook under XP
Date: Mon, 17 Oct 2016 21:59:13 +0200
On 2016-09-24 17:26:30 [+0200], Kurt Roeckx wrote:
> On Fri, Sep 23, 2016 at 12:57:13PM +0000, DaB. wrote:
> > X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
> > "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
> [...]
> > Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
> > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> > cipher:s3_srvr.c:1440:
> 
> With those settings that's expected.

closing since it is not an openssl bug but openssl addressing sweet32
(and moving 3des from high to medium class).

Sebastian

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 Nov 2016 07:26:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 24 07:25:24 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.