[BlueOnyx:15261] Re: Latest Update breaks dovecot SSL ?

Michael Stauber mstauber at blueonyx.it
Wed Apr 23 17:57:41 -05 2014 

Hi Matthias,

You posted your message from an email address that's not subscribed to
the mailing list. I waved it through, but please check your subscription
and use the correct email address for postings next time. :-)

> today morning my blueonyx installed the latest updates.
> Since the installation I can't poll dovecot using SSL/TLS on port 995 with 
> an older mail client (OE).
> 
> /var/log/maillog says on every attempt:
> 
> TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL 
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> 
> What is the breaking change for this? How to fix it?
> 
> Don't know if this is important - todays logwatch contained:
> 
>  *Unmatched Entries*
>     dovecot: ssl-params: Error: epoll_ctl(del, 7) failed: No such file or 
> directory: 1 Time(s)

That probably happened with this YUM update:

http://article.gmane.org/gmane.linux.devices.blueonyx.user/14355/match=blueonyx+14364

You see, the Snowden revelations about the unprecedented, immoral and
illegal snoopings of the rogue US government (and their cronies) had
everyone buttoning up the hatches in regards to security.

It is now clear that the fuckwits of the NSA have subverted a whole
bunch (if not all) cryptology protocols that are commonly used on the
internet. So all traffic (encrypted or not) is siphoned up, stored,
decrypted either now (or later) and will be used against us at the
earliest opportunity that fits their shady business.

We published several updates to BlueOnyx that deal with SSL in order to
make their life a bit more miserable and yours and ours a bit more
safer. At least as far as we can. For services such as SFTP, POP3S,
IMAPS, SMTPS and HTTPS we followed newly developed practices to make
sure that encryption cyphers and protocols are used, which are deemed a
bit safer. That might be for naught as well, considering how thoroughly
fucked up OpenSSL and TLS are thanks to decades of influence and
subversion by corrupt entities such as NIST and NSA.

We forced the services on BlueOnyx to not allow certain older protocols
such as RC4 based ones (which has been thoroughly rooted) and also
removed support for some of the really weak encryption ciphers that
really shouldn't be used anymore.

I did some testing to see how well Windows XP based programs would react
to this. Internet Explorer 6 on Windows XP can still connect to Apache
on BlueOnyx. But there is only a single (relatively weak) protocol
available for it to use. It doesn't support any of the more complex and
newer protocols. With the EOL of XP we're also no longer paying much
attention to keep XP users happy. We can't lower our security standards
just to keep that ancient Mickey-Mouse OS supported.

As for Outlook Express? In the case you mentioned that email client
talked to Dovecot and tried to negotiate a protocol and an encryption
method for the communication. But none of the protocols that your email
client supports is still supported.

This is defined in this file on the server:

/etc/dovecot/conf.d/10-ssl.conf

In this section - to be precise:

# SSL ciphers to use
ssl_cipher_list =
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

This follows best practices as suggested by Dovecot.org and
Bettercrypto.org.

If your email client doesn't support the suggested ciphers, then it
might be high time to retire it and to upgrade to something slightly
more modern. Outlook Express 6.0 is from 2001 <shudder>.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list