OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: TLS Issue

From: Jan Kowalski (bakenekocock.li)
Date: Sun Dec 07 2014 - 11:02:23 CST


Dnia , o godz.
"Steffan A. Cline" <steffanhldns.com> napisaƂ(a):

Hi,

have you resolved this problem yet?

I reproduce it when I connect via either imap or smtp from claws-mail
linked against gnutls 3.3.10-1 to a postfix server with dovecot sasl
enabled.

In my case it is caused by my dovecot configuration, namely:

ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

According to [1]:

> It seems that following poodle many sites incorrectly banned SSL 3.0
> record packet versions. Since gnutls uses an SSL 3.0 record to
> advertise TLS 1.2, they are effectively banning it even if it doesn't
> advertise SSL 3.0.

After removing SSLv3 from ssl_cipher_list the client connected
successfully. I'm not really sure though if it is a proper workaround
or am I opening a possible attack vector; I will be carrying out more
tests next weekend. However, I don't think it's necessary for gnutls to
behave this way, NSS works fine in either configuration.

[1]:
http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html