Mailing List CGatePro@mail.stalker.com Message #105817
From: Tom Rymes <trymes@rymes.com>
Subject: Re: Error: none of client TLS cipher methods is supported
Date: Tue, 15 Sep 2015 11:57:50 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
On 09/14/2015 3:18 PM, James Roman wrote:
I’m guessing here, but we saw some similar problems with email from some
government systems. The RFC for TLS 1.0 doesn’t list AES256_SHA as a
valid cipher (most likely because it had not been formalized when the
RFC was published) for TLS 1.0. Several supported Linux versions shipped
with OpenSSL library versions that only support up to TLS 1.0, like
RedHat/Centos 5. There are also supported SUSE and Ubuntu LTS versions
in the same boat. Government agencies were given a directive that they
had to drop support for ciphers weaker than AES_128. We’ve seen several
government agencies recompiling OpenSSL libraries for older systems to
shoehorn CBC Ciphers that are only native to TLS 1.1 and 1.2 into TLS
1.0 libraries. So those systems announce TLS 1.0, but offer a limited
set of ciphers that are only supported in TLS 1.1 and 1.2 only. I would
not be surprised to find other organizations latching on to this hack.

In the cases we’ve dealt with, normally these are secondary systems that
may still send mail notification for applications, etc. If there were
two systems, one has been upgraded to a newer OS that support TLS 1.1
and 1.2, but the second system yet to be upgraded.

Thanks, James. I'm still confused about why the two CGP settings mentioned would have resolved this issue.

Tom

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster