Re: RC4-MD5 cipher no longer available

---

• From: Ole Hansen <ole.at.redvw.com@xxxxxxx>
• Date: Wed, 09 Jun 2010 17:22:55 -0400

---

David Carvalho wrote:

Thanks for the reply.
This is what I get using openssl ciphers -v 'SSLv2'

DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128)
Mac=MD5
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40)
Mac=MD5 export

searching for other RC4 encryptions with openssl ciphers -v | grep -i rc4
I get:
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export
EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1
export
EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5
export

So I guess that openssl is not the issue here, as I have several
supported RC4 types (both SSLv2 and SSLv3), right ?

Yes, it looks like openssl supports the lower-grade encryption modes
just fine. Which suggests that sendmail on Fedora 12 might be compiled
in a way not to allow those modes.

How can I tell sendmail to also use SSLv2 RC4 ciphers ?

Good question. I'd start with documentation on sendmail compilation
options (probably on sendmail.org and in the sendmail book). Or install
the sendmail source RPM and browse the sendmail.spec file - that's where
the Fedora-specific configuration is defined. The spec file usually
contains a changelog, so maybe there is something obvious in there.

It's also possible that this is not a compilation option, but some
setting that has changed in the default configuration files on Fedora 12.

I was actually going to install Fedora 13 next weekend, on a box that is
partly a mailserver, so I will see for myself ...

What do you mean by "Delete the "and" after "RC4-MD5"." ?

I don't know! I must have been half-asleep when I typed my message this
morning. I thought the "and" was a typo, but it isn't. I need more coffee!!

Thank you very much

You're welcome.

Ole

Regards
Dave




"Ole Hansen" <ole.at.redvw.com@xxxxxxx> wrote in message
news:HBNPn.46366$Ak3.44098@xxxxxxxxxxxxxxx

Ole Hansen wrote:

David Carvalho wrote:

Hi !
After installing ssldump, I could compare windows xp and windows 7
clients STARTTLS negotiation.
While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3

Windows XP output is

New TCP connection #1: 10.0.0.252(5000) <-> my.server (25)
1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_RC4
SSL2_CK_3DES
SSL2_CK_RC2
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

1 2 0.0188 (0.0005) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94
f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0188 (0.0000) S>C Handshake
Certificate
1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C
Handshake1 0.0229 (0.0026) C>S TCP FIN
1 0.0230 (0.0001) S>C TCP FIN
New TCP connection #2: 10.0.0.252(1025) <-> my.server(25)
2 60.0266 (60.0266) C>S TCP FIN
2 60.0267 (0.0000) S>C TCP FIN

So how can I enable SSLv2 support, assuming that this is the problem ?
Any help appreciated.
Thanks and regards
David

Oops, sorry for the hasty typing:

Well ... check if desired chipher/protocol etc. are enabled in openssl.
If no, rebuild openssl with appropriate options.
If yes, probably need to rebuild sendmail to enable lower-grade
encryption.

On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the
default openssl installation. Don't know about the sendmail
configuration, but RC4-MD5 and submission from Outlook Express/WinXP

Delete the "and" after "RC4-MD5".

worked (as you know) still fine as recently as Fedora 9, so it should be

Meant to say "shouldn't" not "should".

too hard to compare rpm spec files for some obvious changes in
configuration options.

HTH,
Ole

"David Carvalho" <dave_carvalho@xxxxxxxxxxx> wrote in message
news:hum0t7$m8t$1@xxxxxxxxxxxxxxxxxxxx

Hi !
I am having trouble since I replaced my e-mail server (hardware and to
Fedora 12).
Basically I'm using almost the same sendmail.mc file than in the
previous server.
The problem is that Windows XP clients running Outlook, outlook
express or windows mail can not
relay, as they fail to STARTTLS. On those systems everything works
fine if using Thunderbird.
Using Windows 7, and OS X everything works fine.
In my previous server logs, I saw that these clients used RC4-MD5
cipher, but now
I get
STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104,
retry=-1
and other times
STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0,
retry=-1
depending on wich client.

I've found some information confirming this issue with older
Windows at
http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html

How can I get those Windows clients to relay using the same e-mail
clients?
Any help apreciated.
Regards
David

.

---

• Follow-Ups:
  • Re: RC4-MD5 cipher no longer available
    • From: David Carvalho

• References:
  • RC4-MD5 cipher no longer available
    • From: David Carvalho
  • Re: RC4-MD5 cipher no longer available
    • From: David Carvalho
  • Re: RC4-MD5 cipher no longer available
    • From: Ole Hansen
  • Re: RC4-MD5 cipher no longer available
    • From: Ole Hansen
  • Re: RC4-MD5 cipher no longer available
    • From: David Carvalho

• Prev by Date: Re: what's happening here? and is there something I can tweak to fix?
• Next by Date: Re: what's happening here? and is there something I can tweak to fix?
• Previous by thread: Re: RC4-MD5 cipher no longer available
• Next by thread: Re: RC4-MD5 cipher no longer available
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Help me replace some Windows installations ... > probably with Fedora Core 2. ... all hosted off of a G5 running OS X Server. ... > Fedora to be an acceptable Windows replacement, it has to be able to ... I have a similar installation somewhere, roaming Linux and Mac clients ... (comp.os.linux.setup) Re: RC4-MD5 cipher no longer available ... So I guess that openssl is not the issue here, ... I could compare windows xp and windows 7 ... So how can I enable SSLv2 support, assuming that this is the problem? ... The problem is that Windows XP clients running Outlook, ... (comp.mail.sendmail) Re: Windows-Fritzcard =?ISO-8859-15?Q?f=FCr_Linux_nutzen_=28?= =?ISO-8859-15?Q?F ... Die möchte ich vom Linux-Rechner aus (Fedora ... Clients gab es nur für Windows. ... (de.comp.os.unix.linux.misc) Re: Windows Is Now More Secure Than Linux ... >OpenSSL is compiled into just about every 'secure' application in the Unix ... You know, a lot of people see me as a "Windows defender", mainly because I pop ... The solution, if there is one, to security problems, is to choose a supplier ... (comp.security.misc) Re: [PHP] php.ini of PHP 5.2.3 ... On Tue, August 14, 2007 11:42 am, Alain Roger wrote: ... OpenSSL has a secondary dependency on libeay or whatever it is. ... why modules with which ones PHP has been compiled do not ... DLL files that must be available to the Windows system PATH. ... (php.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.mail.sendmail  > 2010-06