Ssl 3.0 bug

[gate2vn]

Actually, I found that dovecot and directadmin are also not working, even they can restart. Errors appear in log:
/var/log/directadmin/error.log

2014:10:16-13:30:16: Error Loading ssl_cipher: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

/var/log/maillog

imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:!SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

 

[ccto]

Basically, if I run "openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP' " in CentOS 5.10 x64, I get -

Error in cipher list
26967:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188:

If I run the same command in CentOS 6.5 x64, I get -

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

 

[Jan_E]

@ccto: In Centos 6 your ciphersuite only selects TLSv1.2 ciphers. Centos 5 does not support that. Upgrade to Centos 6 or try things like http://jitenderkumar.net/updating-rhelcentos-5-to-enable-tlsv1-2/

 

[gate2vn]

With the latest setting of Dovecot and Exim, still trouble if using email with SSL. Disabling SSLv3 seems disable both v1 and v2 too, and even TLS.

I am testing Exim version 4.84 #3 built 23-Aug-2014 on CentOS6 / OpenSSL 1.0.1e, but with this configuration

openssl_options = +no_sslv3
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

it seems TLS1.2 is also disabled = email through SSL is not working.

 

[DirectAdmin Support]

I've added pre-release DA binaries, and have updated the list:
http://help.directadmin.com/item.php?id=571

If you have CentOS 5 that doesn't support TLS 1.2, then grab the pre-release DA binaries which disables the SSLv3 protocol, but you'd then leave SSLv3 in the cipher list.
http://help.directadmin.com/item.php?id=408

John

 

[WholesaleDialup]

Thanks for all of the contributions in this thread.
I've added an announcement, basically reiterating what you've already covered here:
http://forum.directadmin.com/showthread.php?t=50105&p=258220#post258220

I've also created a document with the list of files and ciphers for those files:
http://help.directadmin.com/item.php?id=571

as there may be a few files missed in this thread so far.

More info to come as it becomes available.

John

I followed these instructions the other day but just noticed that I am getting bounces with the following error when sending from a Gmail account to an account on my DirectAdmin machine. Not sure how much mail I am missing from Gmail at this point but I know for sure it's keeping mail going to at least one account so I have to assume it's most if not all email from Gmail. This is a huge issue.

Any suggestions? I don't want to turn SSL3 back on for Exim but I my users sorta need to get email from Gmail users.

Error in bounce message:
gmail Unspecified Error (CONNECTING_WITH_TLS): Protocol error

 

[ccto]

For your interest -
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

 

[Richard G]

Now I'm curious. What can I use best, got 3 DA servers with Centos 6.0 and 2 different settings in the httpd-ssl.conf file.
Server 1.

# Disable SSLv2 and 3
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
#SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLCipherSuite HIGH:!aNULL:!MD5

On this server, the "-SSLv2" already was present, I put the -SSLv3 there myself.

Server 2 mostly the same except for the CipherSuite

# Disable SSLv2
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH

Server 2.

# Disable SSLv2
SSLProtocol -ALL -SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH

Shouldn't they be the same? I see different SSLCipherSuite settings. Next to that, different SSLProtocol settings (ALL against -ALL, and on server 2 the +TLSv1 is present).
I changed +SSLv3 to -SSLv3 myself.

But due to these differences, which of these config options is best to use?
And would it be wise to add the +TLSv1 as in server 3?

 

[vverloop]

More to do

What's about /etc/httpd/conf/extra/httpd-ssl.conf

I see a line with:
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Should i uncomment that?

 

[AudiAddict]

Sorry to kick an old topic but I did the following today on my servers to disable SSLv3 against the POODLE security risk:

Disabled SSLv3 on Apache

httpd-ssl.conf
# Disable SSLv2
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5

Disabled SSLv3 on Exim

exim.conf
# SSL/TLS cert and key
#tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

Disabled SSLv3 on Dovecot

Dovecot.conf
#ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

------------------------------

The problem is that when changing the dovecot and exim settings I am not receiving any more e-mail.

mail.err log shows:
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: pop3-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 4 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 8 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 16 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 32 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 60 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 60 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 60 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 60 secs
webserver dovecot[12689]: imap-login: Fatal: Can't set cipher list to 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP': error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
webserver dovecot[12684]: master: Error: service(imap-login): command startup failed, throttling for 60 secs

----------------------

Anybody know how to solve this? I assume I should have the SSL3 option disabled. For now only apache has it disabled.
I am using the latest version of directadmin, custombuild2.0 and when doing a .build update of custom build everything is up to date.

Debian version: 2.6.32-5-amd64 #1 SMP Wed Feb 18 13:14:10 UTC 2015 x86_64 GNU/Linux