Loading ...
Sorry, an error occurred while loading the content.

293883Re: Problem using TLS: lost connection after STARTTLS

Expand Messages
  • Viktor Dukhovni
    Jun 18, 2013
      On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:

      > > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
      > > attribute in the Postfix policy table.
      > Thanks, that worked (postfix 2.8.13):
      > policy_table:
      > [mxtls.allianz.com] verify protocols=SSLv3:TLSv1

      With the destination domain in [], or when "match=..." is explicitly
      specified, the "verify" and "secure" levels are identical, otherwise
      I would probably shun "verify" and use "secure" with explicit "match"
      clauses as required.

      > Currently I fear, that other partners might be also affected about this.
      > Now the queues are almost empty but most traffic with other mandatory
      > TLS partner sites will start to continue during work hours Mo-Fr and
      > I'll be out of office for a week. What do you think about deactivating
      > v1.1 and v1.2 globally?

      Unlikely to cause any harm, and may help with some destinations.
      You lose support for AEAD modes which protect against "CRIME" and
      "BEAST", but those attacks are browser-specific.

      > smtp_tls_mandatory_protocols = !SSLv2
      > smtp_tls_protocols = !SSLv2
      > Suggestion:
      > smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
      > smtp_tls_protocols = !SSLv2

      You can set both the same for now. Ideally there'll be some pressure
      on sites with broken TLSv1.2 (TLSv1.1 is a far more modest change)
      to get their implementations upgraded. But if you have critical
      traffic, it may be reasonable to be conservative in what you send...

      > Will this work or are we expected to run into other compatibility issues
      > with that from your experience?

      TLSv1 is tried and true and largely sufficient, it is a very safe choice.

      > P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
      > which also seems to work fine:
      > # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
      > libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0
      > libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0
      > Am I right concluding that this won't require a postfix rebuild on new
      > openssl 1.0.x versions?

      I can't speak for the stability of the OpenSSL ABI. It is *supposed*
      to work, whether it will, only time will tell. Many other users will
      rely on this stability on systems where 1.0.0 or 1.0.1 is the default
      OpenSSL library:

      $ openssl version
      OpenSSL 1.0.1e 11 Feb 2013

      $ ldd $(type -p openssl) |
      grep /usr/lib |
      awk '{printf "%-20s %s\n", $1,$3}'
      libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
      libcrypto.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0

    • Show all 15 messages in this topic