RC4-MD5 cipher no longer available
in [Sendmail]
|
Prev: what's happening here? I need desparately a SENDMAIL geek!!!!!!!!!!!!!!!!
Next: sendmail timeouts with attachments
From: David Carvalho on 8 Jun 2010 14:07 Hi ! I am having trouble since I replaced my e-mail server (hardware and to Fedora 12). Basically I'm using almost the same sendmail.mc file than in the previous server. The problem is that Windows XP clients running Outlook, outlook express or windows mail can not relay, as they fail to STARTTLS. On those systems everything works fine if using Thunderbird. Using Windows 7, and OS X everything works fine. In my previous server logs, I saw that these clients used RC4-MD5 cipher, but now I get STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, retry=-1 and other times STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 depending on wich client. I've found some information confirming this issue with older Windows at http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html How can I get those Windows clients to relay using the same e-mail clients? Any help apreciated. Regards David
From: David Carvalho on 9 Jun 2010 08:55 Hi ! After installing ssldump, I could compare windows xp and windows 7 clients STARTTLS negotiation. While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 Windows XP output is New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_RC4 SSL2_CK_3DES SSL2_CK_RC2 TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC4_EXPORT40 SSL2_CK_RC2_EXPORT40 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 1 2 0.0188 (0.0005) S>C Handshake ServerHello Version 3.1 session_id[32]= 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.0188 (0.0000) S>C Handshake Certificate 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C Handshake1 0.0229 (0.0026) C>S TCP FIN 1 0.0230 (0.0001) S>C TCP FIN New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) 2 60.0266 (60.0266) C>S TCP FIN 2 60.0267 (0.0000) S>C TCP FIN So how can I enable SSLv2 support, assuming that this is the problem ? Any help appreciated. Thanks and regards David "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message news:hum0t7$m8t$1(a)speranza.aioe.org... > Hi ! > I am having trouble since I replaced my e-mail server (hardware and to > Fedora 12). > Basically I'm using almost the same sendmail.mc file than in the previous > server. > The problem is that Windows XP clients running Outlook, outlook express or > windows mail can not > relay, as they fail to STARTTLS. On those systems everything works fine if > using Thunderbird. > Using Windows 7, and OS X everything works fine. > In my previous server logs, I saw that these clients used RC4-MD5 cipher, > but now > I get > STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, retry=-1 > and other times > STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 > depending on wich client. > > I've found some information confirming this issue with older Windows at > http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html > > How can I get those Windows clients to relay using the same e-mail > clients? > Any help apreciated. > Regards > David > >
From: Ole Hansen on 9 Jun 2010 10:31 David Carvalho wrote: > Hi ! > After installing ssldump, I could compare windows xp and windows 7 > clients STARTTLS negotiation. > While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 > > Windows XP output is > > New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) > 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello > Version 3.1 > cipher suites > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > SSL2_CK_RC4 > SSL2_CK_3DES > SSL2_CK_RC2 > TLS_RSA_WITH_DES_CBC_SHA > SSL2_CK_DES > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > SSL2_CK_RC4_EXPORT40 > SSL2_CK_RC2_EXPORT40 > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_DES_CBC_SHA > TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA > > 1 2 0.0188 (0.0005) S>C Handshake > ServerHello > Version 3.1 > session_id[32]= > 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 > f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d > cipherSuite TLS_RSA_WITH_RC4_128_MD5 > compressionMethod NULL > 1 3 0.0188 (0.0000) S>C Handshake > Certificate > 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C > Handshake1 0.0229 (0.0026) C>S TCP FIN > 1 0.0230 (0.0001) S>C TCP FIN > New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) > 2 60.0266 (60.0266) C>S TCP FIN > 2 60.0267 (0.0000) S>C TCP FIN > > So how can I enable SSLv2 support, assuming that this is the problem ? > Any help appreciated. > Thanks and regards > David > > Well ... check if desired chipher/protocol etc. are enabled in openssl. If no, rebuild openssl with appropriate options. If yes, probably need to rebuild sendmail to enable lower-grade encryption. On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the default openssl installation. Don't know about the sendmail configuration, but RC4-MD5 and submission from Outlook Express/WinXP worked (as you know) still fine as recently as Fedora 9, so it should be too hard to compare rpm spec files for some obvious changes in configuration options. HTH, Ole > > > > > > > > "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message > news:hum0t7$m8t$1(a)speranza.aioe.org... >> Hi ! >> I am having trouble since I replaced my e-mail server (hardware and to >> Fedora 12). >> Basically I'm using almost the same sendmail.mc file than in the >> previous server. >> The problem is that Windows XP clients running Outlook, outlook >> express or windows mail can not >> relay, as they fail to STARTTLS. On those systems everything works >> fine if using Thunderbird. >> Using Windows 7, and OS X everything works fine. >> In my previous server logs, I saw that these clients used RC4-MD5 >> cipher, but now >> I get >> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, >> retry=-1 >> and other times >> STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 >> depending on wich client. >> >> I've found some information confirming this issue with older Windows at >> http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html >> >> How can I get those Windows clients to relay using the same e-mail >> clients? >> Any help apreciated. >> Regards >> David >> >>
From: Ole Hansen on 9 Jun 2010 10:33 Ole Hansen wrote: > David Carvalho wrote: >> Hi ! >> After installing ssldump, I could compare windows xp and windows 7 >> clients STARTTLS negotiation. >> While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 >> >> Windows XP output is >> >> New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) >> 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello >> Version 3.1 >> cipher suites >> TLS_RSA_WITH_RC4_128_MD5 >> TLS_RSA_WITH_RC4_128_SHA >> TLS_RSA_WITH_3DES_EDE_CBC_SHA >> SSL2_CK_RC4 >> SSL2_CK_3DES >> SSL2_CK_RC2 >> TLS_RSA_WITH_DES_CBC_SHA >> SSL2_CK_DES >> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >> TLS_RSA_EXPORT_WITH_RC4_40_MD5 >> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >> SSL2_CK_RC4_EXPORT40 >> SSL2_CK_RC2_EXPORT40 >> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >> TLS_DHE_DSS_WITH_DES_CBC_SHA >> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA >> >> 1 2 0.0188 (0.0005) S>C Handshake >> ServerHello >> Version 3.1 >> session_id[32]= >> 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 >> f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d >> cipherSuite TLS_RSA_WITH_RC4_128_MD5 >> compressionMethod NULL >> 1 3 0.0188 (0.0000) S>C Handshake >> Certificate >> 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C >> Handshake1 0.0229 (0.0026) C>S TCP FIN >> 1 0.0230 (0.0001) S>C TCP FIN >> New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) >> 2 60.0266 (60.0266) C>S TCP FIN >> 2 60.0267 (0.0000) S>C TCP FIN >> >> So how can I enable SSLv2 support, assuming that this is the problem ? >> Any help appreciated. >> Thanks and regards >> David >> >> > Oops, sorry for the hasty typing: > Well ... check if desired chipher/protocol etc. are enabled in openssl. > If no, rebuild openssl with appropriate options. > If yes, probably need to rebuild sendmail to enable lower-grade encryption. > > On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the > default openssl installation. Don't know about the sendmail > configuration, but RC4-MD5 and submission from Outlook Express/WinXP Delete the "and" after "RC4-MD5". > worked (as you know) still fine as recently as Fedora 9, so it should be Meant to say "shouldn't" not "should". > too hard to compare rpm spec files for some obvious changes in > configuration options. > > HTH, > Ole > > > >> >> >> >> >> >> >> "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message >> news:hum0t7$m8t$1(a)speranza.aioe.org... >>> Hi ! >>> I am having trouble since I replaced my e-mail server (hardware and to >>> Fedora 12). >>> Basically I'm using almost the same sendmail.mc file than in the >>> previous server. >>> The problem is that Windows XP clients running Outlook, outlook >>> express or windows mail can not >>> relay, as they fail to STARTTLS. On those systems everything works >>> fine if using Thunderbird. >>> Using Windows 7, and OS X everything works fine. >>> In my previous server logs, I saw that these clients used RC4-MD5 >>> cipher, but now >>> I get >>> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, >>> retry=-1 >>> and other times >>> STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 >>> depending on wich client. >>> >>> I've found some information confirming this issue with older Windows at >>> http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html >>> >>> How can I get those Windows clients to relay using the same e-mail >>> clients? >>> Any help apreciated. >>> Regards >>> David >>> >>> >
From: David Carvalho on 9 Jun 2010 11:24
Thanks for the reply. This is what I get using openssl ciphers -v 'SSLv2' DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export searching for other RC4 encryptions with openssl ciphers -v | grep -i rc4 I get: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export So I guess that openssl is not the issue here, as I have several supported RC4 types (both SSLv2 and SSLv3), right ? How can I tell sendmail to also use SSLv2 RC4 ciphers ? What do you mean by "Delete the "and" after "RC4-MD5"." ? Thank you very much Regards Dave "Ole Hansen" <ole.at.redvw.com(a)foo.net> wrote in message news:HBNPn.46366$Ak3.44098(a)newsfe16.iad... > Ole Hansen wrote: >> David Carvalho wrote: >>> Hi ! >>> After installing ssldump, I could compare windows xp and windows 7 >>> clients STARTTLS negotiation. >>> While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 >>> >>> Windows XP output is >>> >>> New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) >>> 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello >>> Version 3.1 >>> cipher suites >>> TLS_RSA_WITH_RC4_128_MD5 >>> TLS_RSA_WITH_RC4_128_SHA >>> TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL2_CK_RC4 >>> SSL2_CK_3DES >>> SSL2_CK_RC2 >>> TLS_RSA_WITH_DES_CBC_SHA >>> SSL2_CK_DES >>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> TLS_RSA_EXPORT_WITH_RC4_40_MD5 >>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >>> SSL2_CK_RC4_EXPORT40 >>> SSL2_CK_RC2_EXPORT40 >>> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >>> TLS_DHE_DSS_WITH_DES_CBC_SHA >>> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA >>> >>> 1 2 0.0188 (0.0005) S>C Handshake >>> ServerHello >>> Version 3.1 >>> session_id[32]= >>> 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 >>> f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d >>> cipherSuite TLS_RSA_WITH_RC4_128_MD5 >>> compressionMethod NULL >>> 1 3 0.0188 (0.0000) S>C Handshake >>> Certificate >>> 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C >>> Handshake1 0.0229 (0.0026) C>S TCP FIN >>> 1 0.0230 (0.0001) S>C TCP FIN >>> New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) >>> 2 60.0266 (60.0266) C>S TCP FIN >>> 2 60.0267 (0.0000) S>C TCP FIN >>> >>> So how can I enable SSLv2 support, assuming that this is the problem ? >>> Any help appreciated. >>> Thanks and regards >>> David >>> >>> >> > Oops, sorry for the hasty typing: > >> Well ... check if desired chipher/protocol etc. are enabled in openssl. >> If no, rebuild openssl with appropriate options. >> If yes, probably need to rebuild sendmail to enable lower-grade >> encryption. >> >> On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the >> default openssl installation. Don't know about the sendmail >> configuration, but RC4-MD5 and submission from Outlook Express/WinXP > > Delete the "and" after "RC4-MD5". > >> worked (as you know) still fine as recently as Fedora 9, so it should be > > Meant to say "shouldn't" not "should". > >> too hard to compare rpm spec files for some obvious changes in >> configuration options. >> >> HTH, >> Ole >> >> >> >>> >>> >>> >>> >>> >>> >>> "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message >>> news:hum0t7$m8t$1(a)speranza.aioe.org... >>>> Hi ! >>>> I am having trouble since I replaced my e-mail server (hardware and to >>>> Fedora 12). >>>> Basically I'm using almost the same sendmail.mc file than in the >>>> previous server. >>>> The problem is that Windows XP clients running Outlook, outlook >>>> express or windows mail can not >>>> relay, as they fail to STARTTLS. On those systems everything works >>>> fine if using Thunderbird. >>>> Using Windows 7, and OS X everything works fine. >>>> In my previous server logs, I saw that these clients used RC4-MD5 >>>> cipher, but now >>>> I get >>>> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, >>>> retry=-1 >>>> and other times >>>> STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, >>>> retry=-1 >>>> depending on wich client. >>>> >>>> I've found some information confirming this issue with older Windows at >>>> http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html >>>> >>>> How can I get those Windows clients to relay using the same e-mail >>>> clients? >>>> Any help apreciated. >>>> Regards >>>> David >>>> >>>> >> |