Difference between revisions of "TLS Problems"

From Roaring Penguin
Jump to: navigation, search
 
Line 1: Line 1:
We've found that Debian 7's version of OpenSSL has problems
+
=Note on Debian 7 (Wheezy) and older=
interoperating with some other SSL implementations. Here are some
+
 
things you can try:
+
We've found that Debian 7's version of OpenSSL using the TLSv1 protocol has problems
<ol>
+
interoperating with some other SSL implementations. This can be disabled as discussed below.
<li>Add this to the end of /etc/mail/sendmail.mc:
+
 
:<tt>LOCAL_CONFIG</tt>
+
HOWEVER, many systems now refuse the older protocols that are supported by this version of Debian, namely SSLv2 and SSLv3.
:<tt>dnl # Do not allow SSLv2 and weak ciphers</tt>
+
This means that if you disable TLSv1 to resolve the interoperability problems, you will leave no common protocols for those pickier machines.
:<tt>O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2</tt>
+
 
:<tt> O ClientSSLOptions=+SSL_OP_NO_TLSv1</tt>
+
It is possible to selectively disable TLS to and from specific domains which is also discussed below, but at this time it is highly recommended that you
After you add the above lines, type:
+
perform the necessary [[Debian Upgrades]], specifically [[Upgrade to Jessie]] in order to get access to stable versions of newer TLS protocols.
:<tt>make -C /etc/mail && /etc/init.d/sendmail reload</tt>
+
 
<li>If that doesn't help, you have to disable TLS with the machine.  Put this lines in /etc/mail/access:
+
Versions of Debian older than Wheezy have even less protocol support and it is recommended that you not use TLS at all, even with exceptions.
:<tt>Try_TLS:example.com   NO</tt>
+
 
And again:  
+
=Disable TLS Globally=
:<tt>make -C /etc/mail</tt>
+
 
<li>If that still does not work, you may have to disable STARTTLS for now by removing
+
CanIt appliances do not come with TLS enabled. This will have been enabled as instructed in our [[TLS Enable]] article.
:<tt>include(`/etc/mail/tls/starttls.m4')dnl from sendmail.mc </tt>
+
 
And running:
+
In order to disable it, you will need to remove, or comment out (by prefacing with: dnl) the configuration line:
:<tt>make -C /etc/mail && /etc/init.d/sendmail reload</tt>
+
 
</ol>
+
    include(`/etc/mail/tls/starttls.m4')dnl
 +
 
 +
Then reconfigure Sendmail with:
 +
 
 +
    make -C /etc/mail && /etc/init.d/sendmail reload
 +
 
 +
=Disable TLS for specific domains=
 +
 
 +
Put this lines in /etc/mail/access:
 +
 
 +
    Try_TLS:example.com   NO
 +
 
 +
And run:  
 +
 
 +
    make -C /etc/mail
 +
 
 +
See also: [[TLS Disable]]
 +
 
 +
=Disable Specific Protocols and Ciphers=
 +
 
 +
Add a LOCAL_CONFIG to the end of /etc/mail/sendmail.mc:
 +
 
 +
    LOCAL_CONFIG
 +
    dnl # Do not allow SSLv2 and weak ciphers
 +
 
 +
You can then define appropriate ciphers:
 +
 
 +
    O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2
 +
 
 +
This says only High or Medium strength ciphers and NOT: ADH, MD5 or any SSLv2 ciphers.
 +
 
 +
You can also disable protocols like:
 +
 
 +
    O ClientSSLOptions=+SSL_OP_NO_TLSv1
 +
 
 +
Which would fix the TLSv1 problem with Wheezy.
 +
 
 +
After adding either, you need to reconfigure Sendmail with:
 +
 
 +
    make -C /etc/mail && /etc/init.d/sendmail reload
 +
 
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Security]]
 
[[category:All]][[category:Security]]

Latest revision as of 15:35, 22 September 2017

Note on Debian 7 (Wheezy) and older

We've found that Debian 7's version of OpenSSL using the TLSv1 protocol has problems interoperating with some other SSL implementations. This can be disabled as discussed below.

HOWEVER, many systems now refuse the older protocols that are supported by this version of Debian, namely SSLv2 and SSLv3. This means that if you disable TLSv1 to resolve the interoperability problems, you will leave no common protocols for those pickier machines.

It is possible to selectively disable TLS to and from specific domains which is also discussed below, but at this time it is highly recommended that you perform the necessary Debian Upgrades, specifically Upgrade to Jessie in order to get access to stable versions of newer TLS protocols.

Versions of Debian older than Wheezy have even less protocol support and it is recommended that you not use TLS at all, even with exceptions.

Disable TLS Globally

CanIt appliances do not come with TLS enabled. This will have been enabled as instructed in our TLS Enable article.

In order to disable it, you will need to remove, or comment out (by prefacing with: dnl) the configuration line:

   include(`/etc/mail/tls/starttls.m4')dnl

Then reconfigure Sendmail with:

   make -C /etc/mail && /etc/init.d/sendmail reload

Disable TLS for specific domains

Put this lines in /etc/mail/access:

   Try_TLS:example.com	  NO

And run:

   make -C /etc/mail

See also: TLS Disable

Disable Specific Protocols and Ciphers

Add a LOCAL_CONFIG to the end of /etc/mail/sendmail.mc:

   LOCAL_CONFIG
   dnl # Do not allow SSLv2 and weak ciphers

You can then define appropriate ciphers:

   O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2

This says only High or Medium strength ciphers and NOT: ADH, MD5 or any SSLv2 ciphers.

You can also disable protocols like:

   O ClientSSLOptions=+SSL_OP_NO_TLSv1

Which would fix the TLSv1 problem with Wheezy.

After adding either, you need to reconfigure Sendmail with:

   make -C /etc/mail && /etc/init.d/sendmail reload