TLS problem after upgrading from v2.2 to v2.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS problem after upgrading from v2.2 to v2.3

Jan Vejvalka
Thanks for your reply; I used the defaults, both before and after the
upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default
changes. The new defaults broke the connection.

Jan



> what are your settings?
>
> Mine are below and they work just fine:
>
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
Reply | Threaded
Open this post in threaded view
|

Re: TLS problem after upgrading from v2.2 to v2.3

Goetz Schultz
Hi Jan,

fair enough. You may want to try mine to see if it works - if yes, it
might be worthwhile digging deeper. Tbh I had not default settings on
for a long time.


Thanks and regards

  Goetz R. Schultz

On 06/01/18 18:30, Jan Vejvalka wrote:

> Thanks for your reply; I used the defaults, both before and after the
> upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default
> changes. The new defaults broke the connection.
>
> Jan
>
>
>
>> what are your settings?
>>
>> Mine are below and they work just fine:
>>
>> ssl_cipher_list =
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
>>
>


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS problem after upgrading from v2.2 to v2.3

Jan Vejvalka
Hi Goetz,

   thanks, I tried your list - and I quickly ran back, as I noticed
that this time I disconnected a user who is much less cooperative :-)

Jan


On 06.01.2018 20:47, Goetz Schultz wrote:

> Hi Jan,
>
> fair enough. You may want to try mine to see if it works - if yes,
> it might be worthwhile digging deeper. Tbh I had not default settings
> on for a long time.
>
>
> Thanks and regards
>
> Goetz R. Schultz
>
> On 06/01/18 18:30, Jan Vejvalka wrote:
>> Thanks for your reply; I used the defaults, both before and after
>> the upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting
>> default changes. The new defaults broke the connection.
>>
>> Jan
>>
>>
>>
>>> what are your settings?
>>>
>>> Mine are below and they work just fine:
>>>
>>> ssl_cipher_list =
>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: TLS problem after upgrading from v2.2 to v2.3

Joseph Tam-2
In reply to this post by Jan Vejvalka
Jan Vejvalka <[hidden email]> writes:

>> Mine are below and they work just fine:
>>
>> ssl_cipher_list =
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3

I notice all the ciphers use DH, so did you a generate a permanent DH key?

  (https://wiki2.dovecot.org/Upgrading/2.3)

  ssl-parameters.dat file is now obsolete. You should use ssl_dh
  setting instead: ssl_dh=</etc/dovecot/dh.pem

  You can convert an existing ssl-parameters.dat to dh.pem:

  dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem

Joseph Tam <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: TLS problem after upgrading from v2.2 to v2.3

Aki Tuomi-2


On 08.01.2018 09:41, Joseph Tam wrote:

> Jan Vejvalka <[hidden email]> writes:
>
>>> Mine are below and they work just fine:
>>>
>>> ssl_cipher_list =
>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
>>>
>
> I notice all the ciphers use DH, so did you a generate a permanent DH
> key?
>
>     (https://wiki2.dovecot.org/Upgrading/2.3)
>
>     ssl-parameters.dat file is now obsolete. You should use ssl_dh
>     setting instead: ssl_dh=</etc/dovecot/dh.pem
>
>     You can convert an existing ssl-parameters.dat to dh.pem:
>
>     dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl
> dh -inform der > /etc/dovecot/dh.pem
>
> Joseph Tam <[hidden email]>

Dovecot won't actually start without ssl_dh. That warning is about
dovecot converting the old DH key in ssl-parameters.dat into a DH parameter.

On related note, we would be interested in finding out what particular
cipher (suites) are missing, that are preventing clients from accessing
dovecot.

Aki