Mailing List CGatePro@mail.stalker.com Message #105821
From: Tom Rymes <trymes@rymes.com>
Subject: Re: Error: none of client TLS cipher methods is supported
Date: Thu, 17 Sep 2015 11:45:42 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
On 09/17/2015 10:37 AM, James Roman wrote:
When we ran the command from a CentOS 6/7 client, our CommuniGate server
accepted the handshake and negotiated a TLS v1.2 connection
successfully. Without any cipher specified, the handshake would end in
an AES256_SHA256 TLS v1.2 session. On CentOS5, without the -cipher
AES256-SHA argument the handshake would only negotiate with RC4-SHA (an
insecure stream cipher, not block cipher). If we forced AES256-SHA, the
connection failed, unless we enabled the  CBC Ciphers for Old TLS.

Thank you for the detailed information, James. This does make sense to me, and I confirmed that this is precisely what I see, too.

If I force the use of AES256-SHA by running the command "openssl s_client -connect rymes.com:25 -starttls smtp -cipher AES256-SHA", I get the following results:

TLS 1.2-capable client, regardless of CBC setting:
"SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA"

From RedHat 5 (TLS1.0 only) with "CBC Ciphers for Old TLS" DISABLED:
"CONNECTED(00000003)
25557:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:586:"

From RedHat 5 (TLS1.0 only) with "CBC Ciphers for Old TLS" ENABLED:
"SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA"

If I DON'T force the use of AES256-SHA and DISABLE the "CBC Ciphers for Old TLS" setting, I get the following from RedHat 5:

"SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA"

Lastly, I if I ENABLE the "CBC Ciphers for Old TLS" setting and DO NOT force AES256-SHA, I get the stronger Cipher anyway. This leads me to believe that using the "CBC Ciphers for Old TLS" setting actually IMPROVES the encryption security, rather than reducing it. Functionality does not seem diminished, either, as I can still force a connection using RC4-SHA.

Can anyone indicate to me why one would NOT enable the "CBC Ciphers for Old TLS" setting?

Tom
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster