Hello, Anyone from AS5 here? I see ipv6 bgp hijack of our prefixes via AS5. http://lg.ring.nlnog.net/prefix_detail/lg01/ipv6?q=2a03:ff40:dcbe:cc:250:d88... Seen from PCCW perspective only, maybe somebody from PCCW can help? Thanks, Dmitry
OK, so that email bounced. Or will eventually because this does not go away with someone doing something: <dmitry@interhost.net>... Deferred: 403 4.7.0 TLS handshake failed. I am posting this in public because it unfortunately is a very common problem. Debian buster was released on July 6th, 2019. It includes openssl 1.1.1 with this configuration update among number of other improvements: openssl (1.1.1~~pre6-1) experimental; urgency=medium * New upstream version * Increase default security level from 1 to 2. This moves from the 80 bit security level to the 112 bit securit level and will require 2048 bit RSA and DHE keys. -- Kurt Roeckx <kurt@roeckx.be> Tue, 01 May 2018 16:00:55 +0200 I assume similar policies have been applied to all modern and maintained operating systems by now. Everyone should verify their own SMTP servers to avoid losing email due to TLS failures. Doing so is simple from e.g Debian: bjorn@canardo:/usr/local/src/openwrt$ cd bjorn@canardo:~$ host interhost.net interhost.net has address 185.18.204.66 interhost.net mail is handled by 10 pineapp.interhost.co.il. bjorn@canardo:~$ openssl s_client -quiet -connect pineapp.interhost.co.il:25 -starttls smtp depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018 verify return:1 depth=0 CN = *.interhost.co.il verify return:1 139901908640896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150: The fix obviously depends on the server, but is usually as simple as regnerating the DH parameters. See for example https://forums.freebsd.org/threads/sendmail-dh-key-too-small.51985/ Bjørn
A slightly nicer tool than just using "openssl s_client" is testssl.sh, handles STARTTLS and some other non-trivial cases. https://testssl.sh/ Back when I first used it I did read the source, these days at ~650k of shell script, that's a little less practical. On 12/4/21 10:58 pm, Bjørn Mork wrote:
OK, so that email bounced. Or will eventually because this does not go away with someone doing something:
<dmitry@interhost.net>... Deferred: 403 4.7.0 TLS handshake failed.
I am posting this in public because it unfortunately is a very common problem.
Debian buster was released on July 6th, 2019. It includes openssl 1.1.1 with this configuration update among number of other improvements:
openssl (1.1.1~~pre6-1) experimental; urgency=medium
* New upstream version * Increase default security level from 1 to 2. This moves from the 80 bit security level to the 112 bit securit level and will require 2048 bit RSA and DHE keys.
-- Kurt Roeckx <kurt@roeckx.be> Tue, 01 May 2018 16:00:55 +0200
I assume similar policies have been applied to all modern and maintained operating systems by now.
Everyone should verify their own SMTP servers to avoid losing email due to TLS failures. Doing so is simple from e.g Debian:
bjorn@canardo:/usr/local/src/openwrt$ cd bjorn@canardo:~$ host interhost.net interhost.net has address 185.18.204.66 interhost.net mail is handled by 10 pineapp.interhost.co.il.
bjorn@canardo:~$ openssl s_client -quiet -connect pineapp.interhost.co.il:25 -starttls smtp depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018 verify return:1 depth=0 CN = *.interhost.co.il verify return:1 139901908640896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
The fix obviously depends on the server, but is usually as simple as regnerating the DH parameters. See for example https://forums.freebsd.org/threads/sendmail-dh-key-too-small.51985/
Bjørn
participants (3)
-
Bjørn Mork
-
Dmitry Sherman
-
Julien Goodwin