Difference between revisions of "TLS Problems"
| (8 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | We've found that Debian 7's version of OpenSSL has problems | + | =Note on Debian 7 (Wheezy) and older= |
| − | interoperating with some other SSL implementations. | + | |
| − | + | We've found that Debian 7's version of OpenSSL using the TLSv1 protocol has problems | |
| − | + | interoperating with some other SSL implementations. This can be disabled as discussed below. | |
| − | + | ||
| − | + | HOWEVER, many systems now refuse the older protocols that are supported by this version of Debian, namely SSLv2 and SSLv3. | |
| − | + | This means that if you disable TLSv1 to resolve the interoperability problems, you will leave no common protocols for those pickier machines. | |
| − | + | ||
| − | + | It is possible to selectively disable TLS to and from specific domains which is also discussed below, but at this time it is highly recommended that you | |
| − | + | perform the necessary [[Debian Upgrades]], specifically [[Upgrade to Jessie]] in order to get access to stable versions of newer TLS protocols. | |
| − | + | ||
| − | + | Versions of Debian older than Wheezy have even less protocol support and it is recommended that you not use TLS at all, even with exceptions. | |
| − | + | ||
| − | + | =Disable TLS Globally= | |
| − | + | ||
| − | + | CanIt appliances do not come with TLS enabled. This will have been enabled as instructed in our [[TLS Enable]] article. | |
| − | + | ||
| − | + | In order to disable it, you will need to remove, or comment out (by prefacing with: dnl) the configuration line: | |
| − | + | ||
| − | + | include(`/etc/mail/tls/starttls.m4')dnl | |
| + | |||
| + | Then reconfigure Sendmail with: | ||
| + | |||
| + | make -C /etc/mail && /etc/init.d/sendmail reload | ||
| + | |||
| + | =Disable TLS for specific domains= | ||
| + | |||
| + | Put this lines in /etc/mail/access: | ||
| + | |||
| + | Try_TLS:example.com NO | ||
| + | |||
| + | And run: | ||
| + | |||
| + | make -C /etc/mail | ||
| + | |||
| + | See also: [[TLS Disable]] | ||
| + | |||
| + | =Disable Specific Protocols and Ciphers= | ||
| + | |||
| + | Add a LOCAL_CONFIG to the end of /etc/mail/sendmail.mc: | ||
| + | |||
| + | LOCAL_CONFIG | ||
| + | dnl # Do not allow SSLv2 and weak ciphers | ||
| + | |||
| + | You can then define appropriate ciphers: | ||
| + | |||
| + | O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2 | ||
| + | |||
| + | This says only High or Medium strength ciphers and NOT: ADH, MD5 or any SSLv2 ciphers. | ||
| + | |||
| + | You can also disable protocols like: | ||
| + | |||
| + | O ClientSSLOptions=+SSL_OP_NO_TLSv1 | ||
| + | |||
| + | Which would fix the TLSv1 problem with Wheezy. | ||
| + | |||
| + | After adding either, you need to reconfigure Sendmail with: | ||
| + | |||
| + | make -C /etc/mail && /etc/init.d/sendmail reload | ||
| + | |||
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div> | <div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div> | ||
[[category:All]][[category:Security]] | [[category:All]][[category:Security]] | ||
Latest revision as of 14:35, 22 September 2017
Contents
Note on Debian 7 (Wheezy) and older
We've found that Debian 7's version of OpenSSL using the TLSv1 protocol has problems interoperating with some other SSL implementations. This can be disabled as discussed below.
HOWEVER, many systems now refuse the older protocols that are supported by this version of Debian, namely SSLv2 and SSLv3. This means that if you disable TLSv1 to resolve the interoperability problems, you will leave no common protocols for those pickier machines.
It is possible to selectively disable TLS to and from specific domains which is also discussed below, but at this time it is highly recommended that you perform the necessary Debian Upgrades, specifically Upgrade to Jessie in order to get access to stable versions of newer TLS protocols.
Versions of Debian older than Wheezy have even less protocol support and it is recommended that you not use TLS at all, even with exceptions.
Disable TLS Globally
CanIt appliances do not come with TLS enabled. This will have been enabled as instructed in our TLS Enable article.
In order to disable it, you will need to remove, or comment out (by prefacing with: dnl) the configuration line:
include(`/etc/mail/tls/starttls.m4')dnl
Then reconfigure Sendmail with:
make -C /etc/mail && /etc/init.d/sendmail reload
Disable TLS for specific domains
Put this lines in /etc/mail/access:
Try_TLS:example.com NO
And run:
make -C /etc/mail
See also: TLS Disable
Disable Specific Protocols and Ciphers
Add a LOCAL_CONFIG to the end of /etc/mail/sendmail.mc:
LOCAL_CONFIG dnl # Do not allow SSLv2 and weak ciphers
You can then define appropriate ciphers:
O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2
This says only High or Medium strength ciphers and NOT: ADH, MD5 or any SSLv2 ciphers.
You can also disable protocols like:
O ClientSSLOptions=+SSL_OP_NO_TLSv1
Which would fix the TLSv1 problem with Wheezy.
After adding either, you need to reconfigure Sendmail with:
make -C /etc/mail && /etc/init.d/sendmail reload
