[Bug 1709193] [NEW] Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer
Launchpad Bug Tracker
1709193 at bugs.launchpad.net
Thu Aug 10 00:27:17 UTC 2017
You have been subscribed to a public bug by Ubuntu Foundations Team Bug Bot (crichton):
sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with
it. Here's a packet capture when ssmtp connects to smtp.sdeziel.info:587
that offers TLSv1.0 and higher:
$ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)'
Version: TLS 1.0 (0x0301)
Handshake Protocol: Client Hello
Version: TLS 1.0 (0x0301)
Cipher Suites Length: 30
Cipher Suites (15 suites)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl
s_client is able to do:
$ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)'
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Additional information:
$ lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
$ apt-cache policy ssmtp libgnutls-openssl27
ssmtp:
Installed: 2.64-8ubuntu1
Candidate: 2.64-8ubuntu1
Version table:
*** 2.64-8ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
100 /var/lib/dpkg/status
libgnutls-openssl27:
Installed: 3.4.10-4ubuntu1.3
Candidate: 3.4.10-4ubuntu1.3
Version table:
*** 3.4.10-4ubuntu1.3 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.4.10-4ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ssmtp 2.64-8ubuntu1 [modified: etc/ssmtp/revaliases]
ProcVersionSignature: Ubuntu 4.4.0-89.112-generic 4.4.76
Uname: Linux 4.4.0-89-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Mon Aug 7 18:13:33 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ssmtp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.ssmtp.revaliases: [modified]
mtime.conffile..etc.ssmtp.revaliases: 2017-08-05T13:44:06.274302
** Affects: gnutls28 (Ubuntu)
Importance: Undecided
Status: New
** Affects: ssmtp (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: gnutls28 (Debian)
Importance: Unknown
Status: Unknown
** Tags: amd64 apport-bug patch xenial
--
Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer
https://bugs.launchpad.net/bugs/1709193
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list