Am 09.05.2014 10:33, schrieb Robert Schetterer:
Am 09.05.2014 08:29, schrieb Sebastian Goodrick:
my speculate was, it leaves too less ciphers left OK, but does the old dovecot/openssl version provide less ciphers than the new install?
sorry i am short in time
dovecot hast setup options for ciphers related to your openssl version
please read
http://www.michaelboman.org/books/sslscan
http://www.unixwitch.de/de/sysadmin/tools/imap-mit-ssl-testen
https://sys4.de/de/blog/2013/08/15/dovecot-tls-perfect-forward-secrecy/
http://wiki2.dovecot.org/SSL/DovecotConfiguration
http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1...
I'm not too familiar with what ciphers ship with
OpenSSL in what version.
type
openssl ciphers
to see ciphers on your server with your openssl version
and
openssl s_client -connect imap.example.com:143 -starttls imap
for general testing
My naive assumption is, a new version ships
with more ciphers, hence this shouldn't be an issue. (Unless there is a new bug in a cipher.)
there must be matching ciphers
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options I just learned, there is a tool called gpedit.msc on win8 :) "Use FIPS compliant algorithms for encryption, hashing, and signing" is disabled on my machine. From what I understand this indicates, that it can use more/all available ciphers.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/FIPSAlgorithmPolicy/Enabled I can find this key (it is set to DisplayType=0 and ValueType=4) but I don't understand what I can change there and what this setting indicates. Needless to say that my windows administration knowledge is limited.
as written i will test it, but it will take time
Regards, Sebastian
Best Regards MfG Robert Schetterer
Hi Sebastian, sorry for the delay ,i could not reproduce your problem, speculate you have wrong settings in your server/client setup and/or you have firewall loadbalancers, proxies between server and client which fail with some ciphers
as written i did a test setup
brand new win 8.1 pro german 32 install all updates
brand new outlook 2013 german 32 all updates
as vm in vmware player
no other special settings done beside install classicshell and firefox
server ubuntu trusty latest dovecot 2.2.13 patchlevel yesterday
test openssl server
OpenSSL 1.0.1f 6 Jan 2014
openssl s_client -starttls imap -cipher 'ECDH:DH' -connect localhost:143
... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 ....
ssl crt from rapidssl
login method ( for testing ) plain login
2014-05-17T19:22:20.901285+02:00 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges 2014-05-17T19:22:20.901800+02:00 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges 2014-05-17T19:22:20.907542+02:00 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth 2014-05-17T19:22:20.908615+02:00 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so 2014-05-17T19:22:20.913605+02:00 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so 2014-05-17T19:22:20.913635+02:00 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so 2014-05-17T19:22:20.913770+02:00 mail dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat 2014-05-17T19:22:20.914136+02:00 mail dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs 2014-05-17T19:22:20.914161+02:00 mail dovecot: auth: Debug: auth client connected (pid=30359) 2014-05-17T19:22:20.997162+02:00 mail dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [1.2.3.4] 2014-05-17T19:22:20.997190+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [1.2.3.4] 2014-05-17T19:22:20.997210+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [1.2.3.4] 2014-05-17T19:22:21.037845+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [1.2.3.4] 2014-05-17T19:22:21.037873+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [1.2.3.4] 2014-05-17T19:22:21.038062+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [1.2.3.4] 2014-05-17T19:22:21.043376+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [1.2.3.4] 2014-05-17T19:22:21.043395+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [1.2.3.4] 2014-05-17T19:22:21.043416+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [1.2.3.4] 2014-05-17T19:22:21.043436+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [1.2.3.4] 2014-05-17T19:22:21.043447+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [1.2.3.4] 2014-05-17T19:22:21.400072+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [1.2.3.4] 2014-05-17T19:22:21.400274+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [1.2.3.4] 2014-05-17T19:22:21.400363+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [1.2.3.4] 2014-05-17T19:22:21.400388+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [1.2.3.4] 2014-05-17T19:22:21.400451+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [1.2.3.4] 2014-05-17T19:22:21.400477+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [1.2.3.4] 2014-05-17T19:22:21.400497+02:00 mail dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [1.2.3.4] 2014-05-17T19:22:21.400513+02:00 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [1.2.3.4] 2014-05-17T19:22:21.530462+02:00 mail dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=vqTaxZv5+QBY2Ym1#011lip=88.198.69.105#011rip=1.2.3.4#011lport=143#011rport=34041#011resp=AHVzZXIxAHBhc3M= (previous base64 data may contain sensitive data) 2014-05-17T19:22:21.530657+02:00 mail dovecot: auth: Debug: passwd-file(user1,1.2.3.4,<vqTaxZv5+QBY2Ym1>): lookup: user=user1 file=/etc/dovecot/users 2014-05-17T19:22:21.530691+02:00 mail dovecot: auth: Debug: client passdb out: OK#0111#011user=user1 2014-05-17T19:22:21.532921+02:00 mail dovecot: auth: Debug: master in: REQUEST#0112559311873#01130359#0111#01105dec904a2d70034ed3208c9f0b9030e#011session_pid=30362#011request_auth_token 2014-05-17T19:22:21.532939+02:00 mail dovecot: auth: Debug: passwd-file(user1,1.2.3.4,<vqTaxZv5+QBY2Ym1>): lookup: user=user1 file=/etc/dovecot/users 2014-05-17T19:22:21.532954+02:00 mail dovecot: auth: Debug: master userdb out: USER#0112559311873#011user1#011mail=maildir:~/maildir#011uid=1001#011gid=1001#011home=/mnt/user1#011auth_token=d2209447f66ca5732086c5dac94732cd613a538d 2014-05-17T19:22:21.533157+02:00 mail dovecot: imap-login: Login: user=<user1>, method=PLAIN, rip=1.2.3.4, lip=2.3.4.5, mpid=30362, TLS, session=<vqTaxZv5+QBY2Ym1>
settings mostly default
10-ssl.conf
# DH parameters length to use. ssl_dh_parameters_length = 1024
# SSL protocols to use ssl_protocols = !SSLv2
# SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
# Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein