Couldn't upgrade to TLS for client

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Couldn't upgrade to TLS for client

Martin Voßloh-2
Hello,

I have very often this error in my logs:
Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for client XXX.XXX.XXX.XXX:

These settings I have for: SSL version used for transmission (SSL_version)
SSLv23:!SSLv3:!SSLv2

Should I try this :
In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help.

Or did I have another problem?

Thy and Regards
Martin

ASSP version 2.5.2(16142)




------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Couldn't upgrade to TLS for client

Martin Voßloh-2
Hi Pontus,

Thx for your reply.

So I can ignore these Informations.

Regards
Martin



-----Ursprüngliche Nachricht-----
Von: Pontus Hellgren [mailto:[hidden email]]
Gesendet: Donnerstag, 2. Juni 2016 14:29
An: Martin Voßloh <[hidden email]>
Betreff: VB: [Assp-test] Couldn't upgrade to TLS for client

I case this do not reach the list.

I feel I have been muted/blocked from the list :-( None of my latest post have reached the list.

Regards,
Pontus

-----Ursprungligt meddelande-----
Från: Pontus Hellgren [mailto:[hidden email]]
Skickat: den 2 juni 2016 14:27
Till: 'ASSP development mailing list' <[hidden email]>
Ämne: SV: [Assp-test] Couldn't upgrade to TLS for client

Hi Martin!

I believe (and anyone can correct me) that you should not allow your TLS/SSL to run low security handshakes or connections.
This might expose your certificate. (due to low encryption) We do not allow anything lower than TLSv1 for TLS sessions.
We get the "Error" in our logs to but we see these as a "Warning/Notice"
ourselfs.
The sender have to retort to plain text rather than we expose our certificate to malice.

I see this a lot from Asian and African "senders/clients" and probably a couple of botnets trying this.
No newer client should refuse using TLSv1 or higher.
My guess is it's some kind of "fishing" to make you lower your security.
We don't!

I may stand corrected,
Pontus

-----Ursprungligt meddelande-----
Från: Martin Voßloh [mailto:[hidden email]]
Skickat: den 2 juni 2016 13:56
Till: ASSP development mailing list <[hidden email]>
Ämne: [Assp-test] Couldn't upgrade to TLS for client

Hello,

I have very often this error in my logs:
Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for client
XXX.XXX.XXX.XXX:

These settings I have for: SSL version used for transmission (SSL_version)
SSLv23:!SSLv3:!SSLv2

Should I try this :
In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2'
might help.

Or did I have another problem?

Thy and Regards
Martin

ASSP version 2.5.2(16142)




----------------------------------------------------------------------------
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test





------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Couldn't upgrade to TLS for client

GrayHat
In reply to this post by Martin Voßloh-2
:: On Thu, 2 Jun 2016 11:55:38 +0000
:: <[hidden email]>
:: Martin Voßloh <[hidden email]> wrote:

> Hello,
>
> I have very often this error in my logs:
> Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for
> client XXX.XXX.XXX.XXX:
>
> These settings I have for: SSL version used for transmission
> (SSL_version) SSLv23:!SSLv3:!SSLv2

first of all, try the following

DoTLS do TLS
SSL_version SSLv23:!SSLv3:!SSLv2
SSL_cipher_list kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the above will give you a decent cipher suites combo offering strong
ciphers first but allowing to downgrade to weak ones in case the remote
client doesn't support the stronger ones; sure, you may still see some
"TLS" messages, but in such a case, those will probably come from  very
old clients which don't support TLS and only support "SSLvX" (or from
bots trying to exploit the SSL bugs to extract infos) so, just ignore
those errors :)

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Couldn't upgrade to TLS for client

Martin Voßloh-2
Hi,

it´s possible that the entry is going wron in this mail?

kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the "k" in front of some entrys?

Like those
https://www.kuketz-blog.de/nsa-abhoersichere-ssl-verschluesselung-fuer-apache-und-nginx/

Regards
Martin

-----Ursprüngliche Nachricht-----
Von: Grayhat [mailto:[hidden email]]
Gesendet: Freitag, 3. Juni 2016 09:07
An: [hidden email]
Betreff: Re: [Assp-test] Couldn't upgrade to TLS for client

:: On Thu, 2 Jun 2016 11:55:38 +0000
:: <[hidden email]>
:: Martin Voßloh <[hidden email]> wrote:

> Hello,
>
> I have very often this error in my logs:
> Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for
> client XXX.XXX.XXX.XXX:
>
> These settings I have for: SSL version used for transmission
> (SSL_version) SSLv23:!SSLv3:!SSLv2

first of all, try the following

DoTLS do TLS
SSL_version SSLv23:!SSLv3:!SSLv2
SSL_cipher_list kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the above will give you a decent cipher suites combo offering strong ciphers first but allowing to downgrade to weak ones in case the remote client doesn't support the stronger ones; sure, you may still see some "TLS" messages, but in such a case, those will probably come from  very old clients which don't support TLS and only support "SSLvX" (or from bots trying to exploit the SSL bugs to extract infos) so, just ignore those errors :)

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Couldn't upgrade to TLS for client

GrayHat
:: On Fri, 3 Jun 2016 10:17:58 +0000
:: <[hidden email]>
:: Martin Voßloh <[hidden email]> wrote:

> Hi,
>
> it´s possible that the entry is going wrong in this mail?  
>
> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
>
> the "k" in front of some entrys?

no, the "k" is correct, stands for "key exchange" and is accepted by
OpenSSL w/o problems (also tried it with other apps using OpenSSL to
implement SSL support)


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Couldn't upgrade to TLS for client

GrayHat
:: On Fri, 3 Jun 2016 12:29:01 +0200
:: <[hidden email]>
:: Grayhat <[hidden email]> wrote:

> :: On Fri, 3 Jun 2016 10:17:58 +0000
> :: <[hidden email]>
> :: Martin Voßloh <[hidden email]> wrote:
>
> > Hi,
> >  
> > it´s possible that the entry is going wrong in this mail?    
> >
> > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
> >
> > the "k" in front of some entrys?  
>
> no, the "k" is correct, stands for "key exchange" and is accepted by
> OpenSSL w/o problems (also tried it with other apps using OpenSSL to
> implement SSL support)

notice that, using the above string, you'll offer the following ciphers

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384    
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA      
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256      
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA        
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA    
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256    
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA      
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256      
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA        
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA          
Accepted  TLSv1.2  128 bits  RC4-SHA
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA      
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA        
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA    
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA      
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA        
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA          
Accepted  TLSv1.1  128 bits  RC4-SHA
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA      
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA        
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA    
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA      
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA        
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA          
Accepted  TLSv1.0  128 bits  RC4-SHA

if using a normal certificate, if instead you have an ECDSA enabled
certificate, you'll also offer the following ciphers in addition to
the above (and preferred)

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256

as you see, the setup offers the stronger ciphers firts while still
mantaining support for weaker, older ones as a last resource which
helps mantaining compatibility with older clients


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test