TLSv1.2

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

TLSv1.2

Post by mattg » 2018-11-08 03:40

I figured that if Office365 can do it, so can I

I turned off all TLS protocols EXCEPT for TLSv1.2

Something strange has happened
I have an IP camera from a former client that tries to tell me that it's hard drive is full every hour or so. It tries to use SSLv3.0, which I haven't accepted for over a year (when I lost that client)

This is with both TLSv1.0 and TLS v1.2 enabled

Code: Select all

"DEBUG"	2876	"2018-11-08 11:29:03.484"	"TCP connection started for session 2538"
"DEBUG"	2876	"2018-11-08 11:29:03.484"	"Performing SSL/TLS handshake for session 2538. Verify certificate: False"
"TCPIP"	12644	"2018-11-08 11:29:03.484"	"TCPConnection - TLS/SSL handshake failed. Session Id: 2538, Remote IP: xxx.xxx.xxx.xxx, Error code: 336109835, Message: wrong version number"
"DEBUG"	12644	"2018-11-08 11:29:03.484"	"Ending session 2538"
This is with just TLSv1.2 enabled

Code: Select all

"DEBUG"	2616	"2018-11-08 10:39:13.856"	"TCP connection started for session 2360"
"DEBUG"	2616	"2018-11-08 10:39:13.856"	"Performing SSL/TLS handshake for session 2360. Verify certificate: False"
"TCPIP"	6352	"2018-11-08 10:39:13.856"	"TCPConnection - TLS/SSL handshake failed. Session Id: 2360, Remote IP: xxx.xxx.xxx.xxx, Error code: 336027900, Message: unknown protocol"
"DEBUG"	6352	"2018-11-08 10:39:13.856"	"Ending session 2360"
Note the different error message and different error number.

I've also found that my POP3 External Downloads use TLSv1.0 if it is available, but switch up to TLSv1.2 if that is all that is available. Perhaps hmailserver should try the strongest encryption first

( I had to turn TLSv1.0 back on, as I noticed that a single sender hadn't retried a better security protocol, the sender is Australian Tax Office, and I think that they are trying to send me their regular newsletter)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLSv1.2

Post by mattg » 2018-11-08 03:50

And yep, was the Tax office newsletter.

I've turned TLSv1.0 off again now, and I'll try and contact them to ask that they fix the security at their end...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: TLSv1.2

Post by jimimaseye » 2018-11-08 09:52

mattg wrote:
2018-11-08 03:50
And yep, was the (Australian) Tax office newsletter.
I bet that's a riveting read. :mrgreen:
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLSv1.2

Post by mattg » 2018-11-08 10:37

And the main headline... 'Look after your Mental Health'

here's a link if need some sleep inducement >> https://www.ato.gov.au/misc/sbit/sbnews20181107.html
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLSv1.2

Post by mattg » 2018-11-08 10:40

But the really really cool thing is, that someone contacted me back.
A real live person who knows what TLSv1.2 actually is


I was really pleasantly surprised to receive multiple emails from a technical contact (that all arrived fine from a different ATO server using TLSv1.2)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: TLSv1.2

Post by palinka » 2018-11-09 23:57

mattg wrote:
2018-11-08 10:40
But the really really cool thing is, that someone contacted me back.
A real live person who knows what TLSv1.2 actually is


I was really pleasantly surprised to receive multiple emails from a technical contact (that all arrived fine from a different ATO server using TLSv1.2)
That would never happen here. Ever. Even if there were someone capable enough to understand the tech aspect, they would simply ignore your message.

That being said - being a government agency and all, they are nearly impervious to remote attack.


Image

:mrgreen:

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLSv1.2

Post by mattg » 2018-11-12 09:21

Some more things I've learned

- PHP 5.6 whilst supporting TLSv1.2 will not connect via TLSv1.2 without tricky modifications of ciphers (apparently - not got it working yet)
- PHP 7.X does just fine, as long as you specifically ask to use TLS v1.2 in your code
- ASP pages and applications build with Visual Studio (System.mail) need to have at least DotNET 4.5 as a base library
- Most servers that can't do TLSv1.2 fall back to unencrypted (I'm not sure that that is better)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply