Mailing List CGatePro@mail.stalker.com Message #105856
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: HEADS UP: If you're queueing to Office365 domains (was Re: Error: none of client TLS cipher methods is supported)
Date: Thu, 29 Oct 2015 22:23:04 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.2r5148)
On 28 Oct 2015, at 10:20, Tom Rymes wrote:

On 10/27/2015 12:38 PM, Bill Cole wrote:
On 17 Sep 2015, at 11:45, Tom Rymes wrote:

Can anyone indicate to me why one would NOT enable the "CBC Ciphers for Old TLS" setting?

Well, as I discovered yesterday, you might switch that off if you want to mysteriously deliver nothing to domains hosted by Microsoft.

There is definitely a CGP flaw here. Current OpenSSL will negotiate TLS 1.2,ECDHE_AES256_SHA384 with the *.mail.protection.outlook.com machines, but the garbage TLS library CGP is using needs a non-standard config to get TLSv1.0,ECDHE_AES256_SHA and without that setting just gets tossed out during negotiation. As far as I can tell from the 2014-2015 logs of a handful of test and production instances running 6.x versions, CGP never bothers trying to use TLSv1.1 or TLSv1.2 for SMTP client sessions.

Bill: Are you saying that you run into problems when you have the option enabled, disabled, or no matter what you do?

Disabled: cannot send to MS-hosted domains at all, because  *.mail.protection.outlook.com machines drop the connection abruptly during TLS setup after the client_hello is sent.

Enabled: outbound mail works to those domains (and everywhere else) so no one operating a serious mail server can afford to leave this setting unchecked.

HOWEVER: in looking closely at what CGP is doing with TLS I discovered that outbound connections NEVER negotiate any TLS version other than 1.0, even with servers (like Microsoft's) that I have directly tested and confirmed will negotiate 1.2. In addition, the ciphersuite negotiated by CGP seems to be marginally weaker than it could be with hosts like those if CGP were negotiating TLSv1.2. I say "seems" and "marginally" because SHA1 in a ciphersuite (i.e. as part of a HMAC algorithm) isn't equivalent to its use in signatures or password hashing. This IS NOT in itself a significantly risky behavior by CGP but TLS didn't get updates for no reason and it's a bug to not use the best version that can be used for every connection.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster