Re: RC4-MD5 cipher no longer available
- From: Ole Hansen <ole.at.redvw.com@xxxxxxx>
- Date: Wed, 09 Jun 2010 17:22:55 -0400
David Carvalho wrote:
Thanks for the reply.
This is what I get using openssl ciphers -v 'SSLv2'
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128)
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40)
searching for other RC4 encryptions with openssl ciphers -v | grep -i rc4
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1
EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5
So I guess that openssl is not the issue here, as I have several
supported RC4 types (both SSLv2 and SSLv3), right ?
Yes, it looks like openssl supports the lower-grade encryption modes
just fine. Which suggests that sendmail on Fedora 12 might be compiled
in a way not to allow those modes.
How can I tell sendmail to also use SSLv2 RC4 ciphers ?
Good question. I'd start with documentation on sendmail compilation
options (probably on sendmail.org and in the sendmail book). Or install
the sendmail source RPM and browse the sendmail.spec file - that's where
the Fedora-specific configuration is defined. The spec file usually
contains a changelog, so maybe there is something obvious in there.
It's also possible that this is not a compilation option, but some
setting that has changed in the default configuration files on Fedora 12.
I was actually going to install Fedora 13 next weekend, on a box that is
partly a mailserver, so I will see for myself ...
What do you mean by "Delete the "and" after "RC4-MD5"." ?
I don't know! I must have been half-asleep when I typed my message this
morning. I thought the "and" was a typo, but it isn't. I need more coffee!!
Thank you very much
"Ole Hansen" <ole.at.redvw.com@xxxxxxx> wrote in message
Ole Hansen wrote:
David Carvalho wrote:Oops, sorry for the hasty typing:
After installing ssldump, I could compare windows xp and windows 7
clients STARTTLS negotiation.
While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3
Windows XP output is
New TCP connection #1: 10.0.0.252(5000) <-> my.server (25)
1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello
1 2 0.0188 (0.0005) S>C Handshake
3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94
f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d
1 3 0.0188 (0.0000) S>C Handshake
1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C
Handshake1 0.0229 (0.0026) C>S TCP FIN
1 0.0230 (0.0001) S>C TCP FIN
New TCP connection #2: 10.0.0.252(1025) <-> my.server(25)
2 60.0266 (60.0266) C>S TCP FIN
2 60.0267 (0.0000) S>C TCP FIN
So how can I enable SSLv2 support, assuming that this is the problem ?
Any help appreciated.
Thanks and regards
Well ... check if desired chipher/protocol etc. are enabled in openssl.
If no, rebuild openssl with appropriate options.
If yes, probably need to rebuild sendmail to enable lower-grade
On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the
default openssl installation. Don't know about the sendmail
configuration, but RC4-MD5 and submission from Outlook Express/WinXP
Delete the "and" after "RC4-MD5".
worked (as you know) still fine as recently as Fedora 9, so it should be
Meant to say "shouldn't" not "should".
too hard to compare rpm spec files for some obvious changes in
"David Carvalho" <dave_carvalho@xxxxxxxxxxx> wrote in message
I am having trouble since I replaced my e-mail server (hardware and to
Basically I'm using almost the same sendmail.mc file than in the
The problem is that Windows XP clients running Outlook, outlook
express or windows mail can not
relay, as they fail to STARTTLS. On those systems everything works
fine if using Thunderbird.
Using Windows 7, and OS X everything works fine.
In my previous server logs, I saw that these clients used RC4-MD5
cipher, but now
STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104,
and other times
STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0,
depending on wich client.
I've found some information confirming this issue with older
How can I get those Windows clients to relay using the same e-mail
Any help apreciated.
- Re: RC4-MD5 cipher no longer available
- From: David Carvalho
- Re: RC4-MD5 cipher no longer available
- Prev by Date: Re: what's happening here? and is there something I can tweak to fix?
- Next by Date: Re: what's happening here? and is there something I can tweak to fix?
- Previous by thread: Re: RC4-MD5 cipher no longer available
- Next by thread: Re: RC4-MD5 cipher no longer available