Jump to content

SSL Protocol Filtering


Recommended Posts

  • ESET Insiders

Hello,

 

I have two questions about how the ESS 7.0.104.0 beta SSL protocol filtering works with two of my apps. The questions are for me to determine if that feature is working correctly on my system or am I doing something wrong.

 

  1. The first question is concerning SSL protocol filtering with Trillian Instant Messenger (multi-client messaging system). I have Trillian set-up with ten different messaging clients/apis/protocols and they are all set-up to use SSL. The following work with no issues at all: Trillian, Facebook, MSN, Skype, Linked-In, and Twitter. However with the following I have to make certificate exclusions in order for them to work: Google, AIM, ICQ, and Yahoo. One would think I would need to make exclusions for either all in the case it was not working or none in the case of it was working. Why do six protocols work with no issues while 4 have to have their certificates excluded? Is there something I am missing or doing wrong? I have tried everything within my limited knowledge but cannot get all ten protocols to work.
  2. My second question deals with SSL protocol filtering with TheBat! E-mail Client. I have three different e-mail providers that I use all set-up to use SSL and the results are different for all three. My first provider is A T & T (A T & T contracts Yahoo Mail to provide the service). I never get any errors with this provider and all works perfectly. My second e-mail provider is Lavabit and I also have it set-up to use SSL. About ten to twenty per cent of the time, I get a "TLS Handshake Failure". With my third provider Google set-up for SSL, I get the same as Lavabit "TLS Handshake Failure" except it occurs way more frequently, about fifty to sixty per cent of the time. All three provider are set-up identically to receive e-mail using POP3S (I do not use IMAP). Again a similar question as above: Why does one provider have no issues while another has an occasional issue, and lastly one have frequent issues? Again am I missing something or doing something wrong?
  3. Sample error log from # 2 above: 7/26/2013, 13:45:43: FETCH - receiving mail messages
     7/26/2013, 13:45:43: FETCH - Connecting to POP3 server pop.gmail.com on port 995
     7/26/2013, 13:45:43: FETCH - Couldn't connect to 2607:f8b0:400d:c00::6d trying subsequent addresses...
     7/26/2013, 13:45:43: FETCH - Connecting to 173.194.76.108...
     7/26/2013, 13:45:43: FETCH - Initiating TLS handshake
    !7/26/2013, 13:45:44: FETCH - TLS handshake failure. An existing connection was forcibly closed by the remote host

I imagine that the above issues are due to a combination of both lack of knowledge and understanding as to exactly how the SSL protocol feature works within ESS 7.0.104.0 beta. Any instruction and/or knowledge concerning this that could be passed along to me will be greatly appreciated...
 

Link to comment
Share on other sites

Well. You have to determine if that error is because of the layer 5 transport layer of osi using "SSL" or if its using the actual protocol "TLS" vs "SSL"

As with most mail servers, you could either be describing that error from using the wrong encryption type, or as a general error of the SSL being rejected by server.

At layer 5 the handshake is performed, and then at layer 6 the communication is encrypted.

 

That sounds like what needs to be determined.

Do you have full access to adjust mail settings ?

 

post-1101-0-10528800-1375017804_thumb.jpg

Link to comment
Share on other sites

  • ESET Insiders

Hello,

 

With SSL Protocol Filtering disabled in ESS, I never get any errors of any kind either in TheBat! e-mail client and Trillian Instant Messenger. It is only with the SSL Protocol filtering enabled in ESS that I get the error scenario listed in my first post. This is telling me that both are set-up properly as they do work error free with ESS's SSL Protocol Filtering disabled. I would then think that I have some setting wrong in ESS or there is some conflict/issue between the two. Additionally, if I had some setting wrong with my e-mail client, then one would think I would always get errors, not randomly as I am. Just for testing purposes, I toggled through the different encryption methods in my e-mail client but whatever I changed the too resulted in failures 100% of the time. The issues on appear when trying to enable the SSL protocol Filtering in ESS. My theory is that both TheBat! and Trillian are not fully compatible (only partially compatible) with the SSL Protocol Filtering in ESS.

Link to comment
Share on other sites

Hello,

 

With SSL Protocol Filtering disabled in ESS, I never get any errors of any kind either in TheBat! e-mail client and Trillian Instant Messenger. It is only with the SSL Protocol filtering enabled in ESS that I get the error scenario listed in my first post. This is telling me that both are set-up properly as they do work error free with ESS's SSL Protocol Filtering disabled. I would then think that I have some setting wrong in ESS or there is some conflict/issue between the two. Additionally, if I had some setting wrong with my e-mail client, then one would think I would always get errors, not randomly as I am. Just for testing purposes, I toggled through the different encryption methods in my e-mail client but whatever I changed the too resulted in failures 100% of the time. The issues on appear when trying to enable the SSL protocol Filtering in ESS. My theory is that both TheBat! and Trillian are not fully compatible (only partially compatible) with the SSL Protocol Filtering in ESS.

 

Just a question to make sure....

When you enable SSL protocol checking, do you uncheck or have you tried ? " Block encrypted communication utilizing the obsolete protocoll ssl ver2 " ?

This would mean the mail server is relying on a handshake that has so many flaws it could be laughed at, ver3 is patched.

Can you try and see ?

Is the mail domain public/known or private/masked ?

Link to comment
Share on other sites

I suspect that the problem is that TheBat and Trillium are not using the Certificate Store in Windows. For example, Firefox and Thunderbird have their own certificate stores and ESET has to update it's product on occasion to install the ESET certificate into the Firefox/Thunderbird certificate store. If you are an advanced user, and your problematic application allows this, you can add the ESET certificate into those application stores so that they are trusted. You can export the ESET certificate by going into your ESET Advanced Settings -> Web and email -> Protocol filtering -> SSL -> Certificates -> View certificate (button) -> Details (tab) -> Copy to File... -> DER encoded binary X.509 (.CER) -> Save the file somewhere on your computer.

 

Once the certificate is exported, you would then need to import the certificate into the application and mark the certificate as a trusted CA certificate. Once this is done you should get the SSL scanning to work.

Link to comment
Share on other sites

It appears with TheBat, you can import the certificate using this path The Bat! > Address Book > Trusted Root CA > ^T > Certificates > Import. I'm not too sure if this is the correct path, I just did some google searching and support forums came up with this result.

Link to comment
Share on other sites

  • Administrators

If importing the root certificate doesn't resolve the issue, we'd need to get further logs for investigation. Let us know about your findings so that I can provide you with further instructions if the advice given doesn't help.

Link to comment
Share on other sites

  • ESET Insiders

Hello,

Thanks everyone for the replies! I am extremely busy at the moment and it will probably be a day or two before I can try them out. As soon as I am able, I will post back here with my results. Thanks again...

Link to comment
Share on other sites

  • ESET Insiders

Hello,

 

When you enable SSL protocol checking, do you uncheck or have you tried ? " Block encrypted communication utilizing the obsolete protocoll ssl ver2 " ?

Is the mail domain public/known or private/masked ?

I had previously tried that option but I went back and tried it again (both checked and unchecked) to reverify my results. That setting makes no difference as the issue persists either way.

I am not familiar with the terminology (public/known or private/masked) but my e-mail providers are just standard one that anyone may go to and sign up for (so I would assume public).

One thing has changed since my original post, the accounts with lavabit and A t & T (through Yahoo) are both working without any errors. The errors are with the Gmail (Google) accounts. Gmail works fine with ssl protocol filtering disabled and fails with the "TLS handshake failure. An existing connection was forcibly closed by the remote host' with the failure rate being about 50 to 60 %.

Link to comment
Share on other sites

  • ESET Insiders

Hello,

 

I suspect that the problem is that TheBat and Trillium are not using the Certificate Store in Windows. For example, Firefox and Thunderbird have their own certificate stores and ESET has to update it's product on occasion to install the ESET certificate into the Firefox/Thunderbird certificate store. If you are an advanced user, and your problematic application allows this, you can add the ESET certificate into those application stores so that they are trusted. You can export the ESET certificate by going into your ESET Advanced Settings -> Web and email -> Protocol filtering -> SSL -> Certificates -> View certificate (button) -> Details (tab) -> Copy to File... -> DER encoded binary X.509 (.CER) -> Save the file somewhere on your computer.

Once the certificate is exported, you would then need to import the certificate into the application and mark the certificate as a trusted CA certificate. Once this is done you should get the SSL scanning to work.

It appears with TheBat, you can import the certificate using this path The Bat! > Address Book > Trusted Root CA > ^T > Certificates > Import. I'm not too sure if this is the correct path, I just did some google searching and support forums came up with this result.

I have now tried the above suggestions as to exporting and importing the certificate but issue still remains afterwards. I was able to import into TheBat! but with Trillian there is no such option. Also, when I did the export of the certificate, there was an option to export the associated private key along with the certificate, but the option was greyed put and I could not select it. I do not know if the private key is required on the export and then the import or not, but thought I needed to mention it for the more knowledgeable than me to advise.

Link to comment
Share on other sites

  • ESET Insiders

Hello Marcus,

If importing the root certificate doesn't resolve the issue, we'd need to get further logs for investigation. Let us know about your findings so that I can provide you with further instructions if the advice given doesn't help.

As you can see by my above posts, the advice did not help.

I do have a question

Is it necessary to export the private key associated with the ess ssl certificate to import it into TheBat!?

Also with Trillian, there is no way to import/export keys into it, so I am not sure if it uses its own certificate store or windows.

It is just strange to me that both with TheBat! and Trillian, some of the SSL protocol filtering works fine while with others I have to exclude certificates or have random handshake errors. It is not a clear cut "it is working" or "it is not working" as some with each program does fine and others have issues.

Thanks for everyone's help...

Link to comment
Share on other sites

  • 2 weeks later...
  • ESET Insiders

Hello,

 

I just wanted to post an update on my issues.

 

The US government help me with my issues with TheBat! email client due to the closing of lavabit. After lavabit's closing, I had to look at my email providers. Obviously, my lavabit accounts have been closed. I have been thinking seriously about closing all of my gmail accounts also and decided to do so at this time. This means that the two email providers that had the issues I no longer use. All of my accounts are now through my ISP (A T & T/yahoo) which have never had any issues with ESS7 and TheBat! So, even though my issues were never actually solved, I am no longer having problems with TheBat! and SSL protocol filtering.

 

However, the issues with Trillian instant messenger remains and I have implemented a workaround by excluding the certificates for the accounts with connection problems. This workaround by excluding certificates is not ideal, but it works and I can live with it.

 

In summary, TheBat! issues resolved by changing of email providers and Trillian issues have been workaround by excluding relevant certificates.

 

Thanks for the feedback from everyone! As always, I am open to a fix if and when it may be available for the Trillian so I may remove the certificates that I have placed on the exclusion list.

 

Thanks again!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...