Getting TLS1.2 to work!!

Problem reported by Tarkan - 7/15/2015 at 5:16 PM

Resolved

Is everyone using SM14 getting TLS1.2 working on the SMTP/IMAP ports?

I have setup a test environment with the latest version of SM14 and Server 2012R2, and just cannot get TLS1.1 or TLS1.2 to work - TLS1.0 is working fine.

Certificate install looks fine - TLS1.0 is working ok but I get an error if I force TLS1.1 or TLS1.2.

Sending an openssl s_client command to the test machine, results in this.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 2E340000A84BDE1FB17913BB1923FCD4712D4273DCD6500BECCA7

    Session-ID-ctx:
    Master-Key: A66A7A402E5429810ABF115D312214A346FD7C4596B5463CF6315
2F8D9F6E484CB081EE55B2E9904F0EE2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437004050
    Timeout   : 300 (sec)

If I rerun the command this time forcing TLS1.1 or TLS1.2 I get the following.

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437004202
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

I have tried everything - replaced the certificates several times, used different 3rd party certificates, self signed certificates, etc always the same result.

Any pointers on where I should look or investigate.

Thanks.

10 Replies

Reply to Thread

Bruce Barnes Replied

7/15/2015 at 5:52 PM

You need to enable the ciphers and encryption.

See: Maximizing SSL Security for Windows Server 2012 SSL/TLS

I have a couple of .REG files which can be imported to the registry.

Once imported, and the server re-booted, everything should start working.

Note that ALL SSL is now depreciated. The files I will send you will have SSL 1.0, SSL 2.0, and SSL 3.0 disabled.

Your Windows Server 2012 will receive an "A" rating at https://www.ssllabs.com/ssltest/index.html once you follow the instructions at the link above.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Tarkan Replied

7/16/2015 at 1:16 AM

Hi Bruce,

Thanks for the response. I normally use IISCrypto to setup the correct ciphers.

The IIS hosted webmail is working with TLS 1.2 ok no problem using the same certificate as installed on the SM14 ports (on the same machine of course).

Connection: TLS 1.2, AES with 256 bit encryption (High); ECDH_P256 with 256 bit exchange

I am really scratching my head with this one - I will try your REG files see if they make any difference.

Tarkan Replied

7/16/2015 at 5:05 AM

Hi Bruce,

I tried your REG and same thing.

Out of interest I just ran this against your securemail.chicagonettech.com server.

openssl s_client -starttls smtp -connect securemail.chicagonettech.com:25 -tls1_2

and guess what your machine is not accepting a TLS1.2 connection either - I have sent you an email so I can look at my logs and see if my email was recieved using TLSv1.2 or not.

Bruce Barnes Replied

7/16/2015 at 5:18 AM

If you want to support Android 4.4 and below, you cannot disable TLS 1.0, because disabling TLS 1.0 disables it on ALL ports, not just 25.

Bruce Barnes Replied

7/16/2015 at 5:24 AM

I'll take the "A" rating from SSL labs as it stands.

We're monitoring the development of TLS 1.3, and will watch for other options and developments, implimenting as appropriate, so we can support as many Android clients as possible., but I don't see TLS 1.3 as either a final solution, or being approved, for at least another 18 months.

Matt Petty Replied

7/21/2015 at 10:30 AM

Employee Post

Tarkan, we have fixed this in our next minor build.

SmarterMail will now accept TLS 1.2 connections and use TLS 1.2 connections for SMTP Out as well.

If you wish to test this out please contact sales and ask for the custom build for TLS 1.2.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Tarkan Replied

7/21/2015 at 2:17 PM

Hi Matt,

Many thanks for the update - so I was not going mad and it was an issue within Smartermail.

Couple of my clients were seeking confirmation that SM14 would use TLSv1.2 to send/receive email and not being able to demonstrate or confirm was an issue!!

Tarkan Replied

7/22/2015 at 7:12 AM

Hi Matt,

Just tested the custom build - straight upgrade install with no other changes made.

TLSv1.2 handshake

SSL handshake has read 2076 bytes and written 602 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: E7450000627BA6CD2731234C21C6A566FEBFEBAE595282C04597

    Session-ID-ctx:
    Master-Key: BC629907207A7C6B7BF423A9EA51370C8080751863A7FB9461E1
2414EF2DD8D08355E5AE7C1A878CD08C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437573067
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

TLSv1.1 handshake

SSL handshake has read 2042 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 6C3B0000C502334FF99F21388C41E4EBB52150DEDECB9971E449511

    Session-ID-ctx:
    Master-Key: 58EE38640C97C0F469BEADF3D0E64F3FC83DD37C7116A4B69F6B45E
A1130ECE3EEA134CC6176D4B485BFC74
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437573279
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Finally email sent between my postfix gateway to the test SM14 custom build machine.

Jul 22 14:51:07 gateway-de postfix/smtp[12777]: Verified TLS connection established to smtp.somewhere.net[x.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)

Sent from SM14 custom build out to my gateway machine.

Jul 22 15:10:27 gateway-de postfix/smtpd[12900]: Anonymous TLS connection established from smtp.somewhere.net[x.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)

Many thanks for fixing this bug!!

Bruce Barnes Replied

7/22/2015 at 12:52 PM

Tarkan: Can you please contact me off-list - via e-mail, at support@chicagonettech.com. I have a couple of questions for you.

Thanks

Bruce Barnes Replied

7/23/2015 at 1:14 PM

Matt, et al;

I've been working with Tarkan, and several others, on the issue of TLS 1.2, and installed the special TLS compile onto both my SmarterMail server, and the SmarterMail server of an insurance client last evening.

All tests indicate that TLS 1.2 is functioning properly with both SmarterMail servers which are running the TLS 1.2 compile and non-SmarterMail servers which support TLS 1.2.

Here are a few examples:

Test #1 - GMAIL.COM to CHICAGONETTECH.COM

Received: from mail-la0-f52.google.com (mail-la0-f52.google.com [209.85.215.52]) by securemail.chicagonettech.com with SMTP
   (version=TLS\Tls12
   cipher=Aes256 bits=256);
   Thu, 23 Jul 2015 14:49:13 -0500

Test #2 - SmarterMail with special build to CHICAGONETTECH.COM

Received: from mail.insuremart.net ( mail.insuremart.net [98.180.231.10]) by securemail.chicagonettech.com with SMTP
   (version=TLS\Tls12
   cipher=Aes256 bits=256);
   Wed, 22 Jul 2015 22:09:14 -0500

Test #3 - Non-SmarterMail [IETF.ORG] to CHICAGONETTECH.COM

Received: from mail.ietf.org (mail.ietf.org [4.31.198.44]) by securemail.chicagonettech.com with SMTP
   (version=TLS\Tls12
   cipher=Aes256 bits=256);
   Thu, 23 Jul 2015 06:10:51 -0500

Test #4 - Non-SmarterMail [GODADDY.COM - NON SECURE SERVER - through forwarder, as is now required by GoDaddy virtual servers running MX] to CHICAGONETTECH.COM

Received: from p3plsmtps2ded04.prod.phx3.secureserver.net (p3plsmtps2ded04.prod.phx3.secureserver.net [208.109.80.198]) by securemail.chicagonettech.com with SMTP;
Thu, 23 Jul 2015 10:15:40 -0500

NO TLS WHATSOEVER

These same tests were conducted with many other servers, both TLS 1.2 and non-TLS 1.2, and all functioned without issues.

Thanks for getting the TLS 1.2 code into SmarterMail. This is an important move forward in the never ending quest to provide the best possible security for all of our hosted customers and will help in both maintaining existing clients and bringing new customers to our base.

Back to Community Threads

Please leave this box unchecked

10 Replies

Reply to Thread

Tags

Related Knowledge Base Articles