php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76022 PHP.net mail server
Submitted: 2018-02-27 20:46 UTC Modified: 2018-03-01 17:08 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dpa-bugs at aegee dot org Assigned:
Status: Open Package: Systems problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-02-27 20:46 UTC] dpa-bugs at aegee dot org
Description:
------------
In my mail logs I have in UTC:

Feb 27 20:07:46 mail sendmail[32619]: STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1, errno=0, retry=-1, relay=sgrv20.php.net [69.195.222.219]
Feb 27 20:07:46 mail sendmail[32619]: w1RK7kDd032619: sgrv20.php.net [69.195.222.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to sm-mail
Feb 27 20:17:47 mail sendmail[4598]: STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1, errno=0, retry=-1, relay=sgrv20.php.net [69.195.222.219]
Feb 27 20:17:47 mail sendmail[4598]: w1RKHkQ8004598: sgrv20.php.net [69.195.222.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to sm-mail
Feb 27 20:27:48 mail sendmail[7275]: STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1, errno=0, retry=-1, relay=sgrv20.php.net [69.195.222.219]
Feb 27 20:27:48 mail sendmail[7275]: w1RKRmH9007275: sgrv20.php.net [69.195.222.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to sm-mail

so that your mail server does not agree with my mail server on a cipher suite.

Why doesn't your server retry without STARTTLS?

Unfortunately I don't know what ciphers were offered, but using testssl.sh

for php-smtp3.php.net you offer:
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
               DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA 
    TLSv1.1:   ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
               DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA 
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256
               DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA
               ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256
               DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA CAMELLIA128-SHA 



and my server offers

testssl.sh -t mail.aegee.org:25
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA 
    TLSv1.1:   ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA 
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256
               ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA 


so ECDHE-RSA-AES256-GCM-SHA384 would be common denominator.

The further testssh.sh says for php-smtp3.php.net:

_Testing vulnerabilities_
 Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), potential DoS threat

Please consider replying on this per email, as I will not be informed, for the reasons mentioned here, when you enter some comments.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-01 17:08 UTC] cmb@php.net
-Package: *General Issues +Package: Systems problem
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Aug 24 01:01:27 2019 UTC