Mailing List CGatePro@mail.stalker.com Message #105814
From: Tom Rymes <trymes@rymes.com>
Subject: Re: Error: none of client TLS cipher methods is supported
Date: Fri, 11 Sep 2015 13:15:30 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
On 09/11/2015 1:07 PM, Tom Rymes wrote:
I was unable to receive an e-mail from a host today due to the following
error:

failed to accept a secure connection for DOMAIN(rymes.com). Error
Code=none of client TLS cipher methods is supported

I enabled "Weak Ciphers" and "CBC Ciphers for old TLS" in
Settings:General:Other, and that seems to have worked, implying that the
sender has an outdated installation, I presume?

I have a few questions:

1.) What are the currently recommended settings for TLS Sessions?
2.) What are my options for this sender? I believe that I can force SMTP
to not advertise TLS for certain hosts?
3.) Where can I determine what ciphers are being used to provide
evidence to the sender that they need to fix their end?

I'm replying to my own e-mail here with more information and more confusion. I found this in the documentation at https://www.communigate.com/communigatepro/PKI.html :

"CBC Ciphers for old TLS
    Select this setting if you want to support CBC-based cipher methods for SSL 3.0 and TLS 1.0 protocols. The CBC-based cipher methods are always supported for datagram (DTLS) protocols.
Weak Ciphers
    Select this setting if you want to support weak (less than 128-bit) security (cipher methods). The CBC Ciphers setting should be selected, too."

I then checked the logs, and it looks like the sender is using AES256_SHA after I enabled both of the above settings, which makes no sense to me, as it is neither CBC-based nor less than 128-bit, making me wonder why enabling those two options made a difference.

"TLS-095527(AES256_SHA) connection accepted for DOMAIN(rymes.com)"

Hopefully someone can enlighten me.

Thank you,

Tom
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster