Test/tls.py errors

Benoit · December 23, 2020, 11:57am

Having issues with TLS connection from external system since I have updated the MiaB from 0.40 to 0.51, I try the test tls py, but it seems not working:

python3 tests/tls.py
Usage: python3 tls.py [–proxy ssh_host] hostname
python3 tests/tls.py =host=
PORT 25

Traceback (most recent call last):
File “tests/tls.py”, line 152, in
sslyze([“–starttls=smtp”], 25, MOZILLA_CIPHERS_OLD)
File “tests/tls.py”, line 91, in sslyze
out = subprocess.check_output([SSLYZE] + common_opts + opts + [connection_string])
File “/usr/lib/python3.6/subprocess.py”, line 356, in check_output
**kwargs).stdout
File “/usr/lib/python3.6/subprocess.py”, line 423, in run
with Popen(*popenargs, **kwargs) as process:
File “/usr/lib/python3.6/subprocess.py”, line 729, in init
restore_signals, start_new_session)
File “/usr/lib/python3.6/subprocess.py”, line 1364, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: ‘sslyze-0_11-linux64/sslyze/sslyze.py’: ‘sslyze-0_11-linux64/sslyze/sslyze.py’

alento · December 23, 2020, 1:23pm

You have SSLyze available right? @Benoit

# Make sure you have SSLyze available:
# wget https://github.com/nabla-c0d3/sslyze/releases/download/release-0.11/sslyze-0_11-linux64.zip
# unzip sslyze-0_11-linux64.zip
#

Benoit · December 23, 2020, 2:13pm

Thanks @alento
Link change: wget https://github.com/nabla-c0d3/sslyze/releases/download/0.11.0/sslyze-0_11-linux64.zip

Results of the test is:
PORT 587
--------

  * Session Renegotiation:
      Client-initiated Renegotiations:   VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation:              OK - Supported

  * Deflate Compression:
      OK - Compression disabled          

Unhandled exception when processing --heartbleed: 
socket.error - [Errno 104] Connection reset by peer

  * Session Resumption:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          OK - Supported

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * TLSV1_2 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-521 bits  256 bits      250 2.0.0 Ok                       
      Accepted:                        
                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-521 bits  256 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-521 bits  128 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits      250 2.0.0 Ok                       

  * TLSV1_1 Cipher Suites:
      Undefined - An unexpected error happened:

==> ALL timeout - timed out

  * TLSV1 Cipher Suites:
      Undefined - An unexpected error happened:

==> ALL timeout - timed out

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

  Should Not Offer: DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-GCM-SHA384
  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-CHACHA20-POLY1305, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
  Supported Clients: OpenSSL/1.0.2, Android/4.4.2, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, BingPreview/Jan 2015, Java/8u31, Chrome/42/OS X, Android/5.0.0, IE/11/Win 8.1, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X

was it different in version 0.40 (open question) ?

alento · December 23, 2020, 3:37pm

Hi! I haven’t reviewed the results of your test however I will answer this question for you.

TLS versions 1.0 and 1.1 were scheduled to be EoL in March of this year. In MiaB version 0.44 TLS was updated to not allow connections from devices using the older unsafe TLS versions.

However, several different mail providers across the internet also updated their servers at about the same time, but MANY did not. As a result of this many many people using older email clients could no longer connect to their email provider. The major culprit was Outlook versions 2007, 2010. Why anyone uses an email client that old is beyond me.

I have been told by @JoshData that, as a result of this, these changes were rolled back - hence why I did not reply to your other thread … but there has never been an indication of this in the changelog, so I am asking @JoshData to please clarify this…

@Benoit The best course of action IMHO is to update the client that you are having issues with. You do not define what the ‘external system’ is so I can’t offer any guidance at this point.