Disable SSLv3 in Dovecot --> TLS handshaking failed: no shared cipher?

    • Ubuntu 12.04
    • OpenSSL 1.0.1-4ubuntu5.20 14 Mar 2012
    • Dovecot 2.0.19

    The situation is I'm trying to disable SSLv3 in Dovecot by adding !SSLv3 to the ssl_cipher_list:

    ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    

    restart the Dovecot, then check log, I got:

    Oct 29 05:00:46 mail dovecot: imap-login: Disconnected (no auth attempts): rip=118.71.13.x, lip=107.170.105.y, TLS handshaking: SSL_accept() failed: error: 1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

    what I don't understand is: the above cipher list support some TLSv1.2:

    openssl ciphers -v 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' | grep -i tls
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    

    Running tcpdump while using Thunderbird to connect to Dovecot:

    Secure Sockets Layer
        SSL Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: TLS 1.0 (0x0301)
            Length: 177
            Handshake Protocol: Client Hello
                Handshake Type: Client Hello (1)
                Length: 173
                Version: TLS 1.2 (0x0303)
                Random
                    GMT Unix Time: May  4, 2099 21:21:49.000000000 ICT
                    Random Bytes: db3c676892cb86a10350aae7fa67868ed4935862593455bc...
                Session ID Length: 0
                Cipher Suites Length: 46
                Cipher Suites (23 suites)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    

    You can see that at least both client and server support ECDHE-RSA-AES128-GCM-SHA256, why the handshake failure?

    Secure Sockets Layer
        TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
            Content Type: Alert (21)
            Version: TLS 1.2 (0x0303)
            Length: 2
            Alert Message
                Level: Fatal (2)
                Description: Handshake Failure (40)
    

    The answers have addressed the problem, so I'll comment on the question :) OpenSSL server can select a ciphersuite using ECDHE (or ECDH-anon, but you don't want anonymous) only if configured with a "temp" ECDH curve either directly or via a callback, which matches the "supported curves" in the ClientHello (which you truncated). If the client is also OpenSSL other than RedHat it supports all named curves, but others may not. On a quick scan of current source, it appears Dovecot 2.2 does temp ECDH curve but 2.1 and 2.0 don't. ...

    ... However, if the client is selecting "only-in-TLSv1.2" ciphersuites to block SSLv3 like you are, those include some using DHE, and for DHE OpenSSL server more simply requires "temp" DH params (not needing to match a client extension) and Dovecot 2.0 DOES do temp DH params, so if you see any DHE-RSA+(AEAD or SHA2) suites in the ClientHello then you have a valid complaint.

  • The situation is I'm trying to disable SSLv3 in Dovecot by adding !SSLv3 to the ssl_cipher_list:

    This is a bad idea because there are no ciphers specific for TLS1.0 and TLS1.1, that is they use the same ciphers as SSL 3.0. Only TLS1.2 defined some new ciphers. This means, that if you disable SSLv3 ciphers no SSLv3 clients can connect, but also no TLS1.0 or TLS1.1 clients. This is probably not what you intended to do.

    The real way is not to disable the SSLv3 ciphers, but to disable the SSLv3 protocol, but I cannot see an option for it in Dovecot 2.0. According to https://zmap.io/sslv3/servers.html there is an ssl_protocols setting in Dovecot 2.1+, but the same page also wrongly recommends to disable SSLv3 ciphers in Dovecot 2 which is just wrong.

    check out the source from zmap.io's suggestions: : "For older (dovecot) versions you will have to patch the source code." (Askubuntu: How do I patch/workaround SSLv3 POODLE vulnerability (CVE­-2014­-3566)?)

    I doubt that this is the (only) source for zmap.io because it does not recommend disabling SSLv3 ciphers - contrary to zmap.io.

  • iirc ssl_ciphers is not the right place to disable a protocol, try:

    # dovecot
    ssl_protocols = !SSlv2 !SSLv3
    

    after this i'd suggest to test your server with the script from testssl.sh

    The reason is we are running Dovecot 2.0.19 on Ubuntu 12.04.

    what @steffen said: "For older (dovecot) versions you will have to patch the source code." src: - Askubuntu: How do I patch/workaround SSLv3 POODLE vulnerability (CVE­-2014­-3566)?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used