Hallo Zusammen,
UTM V11 ist als aus Smarthost im Einsatz, Die ausgehende E-Mail bleibt in Warteschlange hängen, mit der Meldung: deferred: 403 4.7.0 TLS handshake failed!
Es wurde zum Testen die Änderung ( Try_TLS: NO ) an dem Template /etc/mail/access vorgenommen und die Mail ist raus.
Hiermit
openssl s_client -connect $ZIEL_MAIL_SYSTEM:25 -starttls smtp -state
openssl s_client -connect $ZIEL_MAIL_SYSTEM:25 -starttls smtp -state -no_tls1_2
habe ich auch getestet und dabei wird TLSv1 angezeit und auf mein System TLSv1.2
woran liegt es?
gibt es eine Möglichkeit, nur eine Ausnahme für eine bestimmte Domain zu machen oder andere Lösungen?
Danke für eure Hilfe
Khani
[Gelöst] TLS handshake failed
Moderator: Securepoint
Hallo Khani,
eventuell verwendet die Gegenstelle einen zu schwachen DH Key.
Das lässt sich mithilfe des Tools Cipherscan herausfinden.
Aufgrund von CVE-2015-4000 aka. Logjam verlangen die Dienste auf der UTM einen DK Key größer als 512 Bit.
Gruß
Kenneth
eventuell verwendet die Gegenstelle einen zu schwachen DH Key.
Das lässt sich mithilfe des Tools Cipherscan herausfinden.
Aufgrund von CVE-2015-4000 aka. Logjam verlangen die Dienste auf der UTM einen DK Key größer als 512 Bit.
Gruß
Kenneth
Danke!
Cipher : 0000
hier der Ausschnitt:
SSL handshake has read 6747 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: 8A185EEADA189D592B89296F90FD972670426D3A12BB1BDD8DEF38CF241ACA7D
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1485520773
Timeout : 300 (sec)
Verify return code: 0 (ok)
Viele Grüße
Cipher : 0000
hier der Ausschnitt:
SSL handshake has read 6747 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: 8A185EEADA189D592B89296F90FD972670426D3A12BB1BDD8DEF38CF241ACA7D
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1485520773
Timeout : 300 (sec)
Verify return code: 0 (ok)
Viele Grüße
Hallo,
das Ergebniss von Cipherscan:
Certificate: untrusted, bits, signature
TLS ticket lifetime hint:
NPN protocols:
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Renegotiation test error
Supported compression methods test error
TLS Tolerance: no
Fallbacks required:
big-SSLv3 config not supported, connection failed
big-TLSv1.0 config not supported, connection failed
big-TLSv1.1 config not supported, connection failed
big-TLSv1.2 config not supported, connection failed
small-SSLv3 config not supported, connection failed
small-TLSv1.0 config not supported, connection failed
small-TLSv1.0-notlsext config not supported, connection failed
small-TLSv1.1 config not supported, connection failed
small-TLSv1.2 config not supported, connection failed
v2-big-TLSv1.2 config not supported, connection failed
v2-small-SSLv3 config not supported, connection failed
v2-small-TLSv1.0 config not supported, connection failed
v2-small-TLSv1.1 config not supported, connection failed
v2-small-TLSv1.2 config not supported, connection failed
Host does not seem to support SSL or TLS protocol
Viele Grüße
Khani
das Ergebniss von Cipherscan:
Certificate: untrusted, bits, signature
TLS ticket lifetime hint:
NPN protocols:
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Renegotiation test error
Supported compression methods test error
TLS Tolerance: no
Fallbacks required:
big-SSLv3 config not supported, connection failed
big-TLSv1.0 config not supported, connection failed
big-TLSv1.1 config not supported, connection failed
big-TLSv1.2 config not supported, connection failed
small-SSLv3 config not supported, connection failed
small-TLSv1.0 config not supported, connection failed
small-TLSv1.0-notlsext config not supported, connection failed
small-TLSv1.1 config not supported, connection failed
small-TLSv1.2 config not supported, connection failed
v2-big-TLSv1.2 config not supported, connection failed
v2-small-SSLv3 config not supported, connection failed
v2-small-TLSv1.0 config not supported, connection failed
v2-small-TLSv1.1 config not supported, connection failed
v2-small-TLSv1.2 config not supported, connection failed
Host does not seem to support SSL or TLS protocol
Viele Grüße
Khani
Wie haben Sie den Befehl ausgeführt? (man sieht keine DH Schlüssel).
Hier ein Beispiel:
Hier ein Beispiel:
Code: Alles auswählen
# cipherscan -starttls smtp smtp.example.net:25
Nach Ihrem Beispiel:
prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint ocsp_staple npn pfs
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
2 AES256-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
3 DHE-RSA-AES128-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
4 AES128-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
5 RC4-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
6 RC4-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
7 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
8 DES-CBC3-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
9 EDH-RSA-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
10 EXP1024-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
11 DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
12 EXP1024-RC2-CBC-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
13 EXP1024-RC4-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
14 EXP1024-RC4-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
15 EXP-EDH-RSA-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
16 EXP-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
17 EXP-RC2-CBC-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
18 EXP-RC4-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
19 RC2-CBC-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
20 DES-CBC3-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
21 RC4-64-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
22 DES-CBC-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: unknown - fallback: no
Server DOESN'T support secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: no
Fallbacks required:
big-SSLv3 no fallback req, connected: SSLv3 DHE-RSA-AES256-SHA
big-TLSv1.0 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
big-TLSv1.1 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
big-TLSv1.2 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
Host does not seem to support SSL or TLS protocol
Danke für die schnelle Antwort und Viele Grüße
Khani
prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint ocsp_staple npn pfs
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
2 AES256-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
3 DHE-RSA-AES128-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
4 AES128-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
5 RC4-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
6 RC4-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
7 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
8 DES-CBC3-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
9 EDH-RSA-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
10 EXP1024-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
11 DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None None None
12 EXP1024-RC2-CBC-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
13 EXP1024-RC4-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
14 EXP1024-RC4-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
15 EXP-EDH-RSA-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None DH,512bits None
16 EXP-DES-CBC-SHA SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
17 EXP-RC2-CBC-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
18 EXP-RC4-MD5 SSLv3,TLSv1 4096 sha256WithRSAEncryption True None False None RSA,512bits None
19 RC2-CBC-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
20 DES-CBC3-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
21 RC4-64-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
22 DES-CBC-MD5 SSLv2 4096 sha256WithRSAEncryption False None False None None None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: unknown - fallback: no
Server DOESN'T support secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: no
Fallbacks required:
big-SSLv3 no fallback req, connected: SSLv3 DHE-RSA-AES256-SHA
big-TLSv1.0 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
big-TLSv1.1 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
big-TLSv1.2 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
Host does not seem to support SSL or TLS protocol
Danke für die schnelle Antwort und Viele Grüße
Khani