Pages: 1
RSS
TLSv1.2
 
I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.

!01/04/2018, 01:54:20: SEND  - TLS handshake failure. An existing connection was forcibly closed by the remote host

So I raised a ticket with the host. They eventually tracked the problem down.
Quote
The issue is that your mail clients do not support TLSv1.2 which is the  currently recommended protocol to use as all others have  vulnerabilities. You may wish to monitor the authors site for future  support of this as PCI compliance prohibits the use of TLS v1.0 and  shortly v1.1 on servers.
They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.

But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2. Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2. Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.

I'm a bit upset at this.

Is it due to be implemented any time soon?
 
Good question, especially since TLS 1.3 has been recently approved...  https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/  I don't know if you'll get an answer on the forum; you may need to file a ticket with tech support. I agree, the upgrade is needed.
david
 
Hopefully they will make TLS v1.2 a priority!
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Thank you both. I have put in a ticket.

Having got my host to temporarily relax to accept TLSv1.1, I'm now getting certificate name mismatch errors as a result of The Bat's failure to use SNI. SNI has also been around for over 10 years and is in increasing use, especially due to the IPv4 exhaustion. I wish The Bat offered SNI.

I've added that to the ticket too.
 
Ah. It's a cPanel/WHM host, and cPanel's documentation now states

"We only support applications that use TLSv1.2, such as IMAP, POP, FTP, and SMTP."

cPanel is used by a very lot of hosts. More reason for The Bat to support it
 
I hadn't heard of SNI before, but fr om what I understand, it allows a server to present multiple certificates.

I wonder if the lack of SNI-support that you mention also explains the situation in this other topic, wh ere The Bat wouldn't connect to a mailserver that offered two certificates.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
A response from the software developers.
Quote
Indeed, currently The Bat! does not support TLS 1.2, unfortunately. At  this point we have no fixed time frame for implementing TLS 1.2.
 
That doesn't sound reassuring at all.. it would be pretty bad if hosts begin to enforce TLS 1.2+ and SNI soon and my favorite email client doesn't support it!
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
I think this should have first priority, TheBat has enough features already and more and more hosts shift to TLS1.2. I'm having problems with several of my hosts now that they have upgraded.

I'm writing software myself which connects to different hosts and I've also had to upgrade it to TLS1.2 because the hosts started doing it.


 
 
Ritlabs will release a new version of The Bat! in a few days with SNI support.
 
The Bat v8.4 was just announced and if I read the new features correctly, it supports SNI as well as TLS 1.2 !  :)

https://www.ritlabs.com/en/products/thebat/revision-history/7121/
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
It also supports HTML styling, which seriously raises the bar on HTML email, and includes support for block quotes, which was a topic in a recent post. I'm very impressed with the new release.

david
 
Quote
I just switched web hosting platforms and they too said that the 'ciphers' in The Bat were outdated. I had to beg them to relax security so I could get my email accounts to work. This MUST get fixed pretty soon or I'll be forced to dropThe Bat; I've been using it forever! Douglas Paulley wrote:
I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.

!01/04/2018, 01:54:20: SEND  - TLS handshake failure. An existing connection was forcibly closed by the remote host

So I raised a ticket with the host. They eventually tracked the problem down.
Quote
The issue is that your mail clients do not support TLSv1.2 which is the  currently recommended protocol to use as all others have  vulnerabilities. You may wish to monitor the authors site for future  support of this as PCI compliance prohibits the use of TLS v1.0 and  shortly v1.1 on servers.
They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.

But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2.  Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2.  Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.

I'm a bit upset at this.

Is it due to be implemented any time soon?
 
Quote
I just switched web hosting platforms and they too said that the 'ciphers' in The Bat were outdated.  I had to beg them to relax security so I could get my email accounts to work.  This MUST get fixed pretty soon or I'll be forced to dropThe Bat; I've been using it forever!

Did you upgrade The Bat to the current release, v8.4? If so, TLS 1.2 should work.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Daniel van Rooijen wrote:
Did you upgrade The Bat to the current release, v8.4? If so, TLS 1.2 should work.

Make that v8.5 (just released) -- the "what's new" of v8.4 hinted at TLS 1.2 support, but it was only just officially announced with v8.5:

New features

TLS 1.2.   The following cipher suites are supported:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_MD5
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
FWIW, after "upgrading" to 8.5 TheBat! stopped sending messages to my office365 account due to TLS failure. Had to go back to 8.4 to fix that.
 
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This  version resolves TLS 1.2 compatibility issues. Connection failures were  caused by mail server servers which aborted the connection unless The  Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To  resolve this incompatibility, The Bat! since version 8.5.4 always sends  the signature_algorithms extension during TLS 1.2 handshake.
 
Quote
Maxim Masiutin wrote:
You can use The Bat! 8.5.4 available to download from  https://www.ritlabs.com/en/products/thebat/download.php

This  version resolves TLS 1.2 compatibility issues. Connection failures were  caused by mail server servers which aborted the connection unless The  Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To  resolve this incompatibility, The Bat! since version 8.5.4 always sends  the signature_algorithms extension during TLS 1.2 handshake.
Hello,

It works well with The Bat! 8.5.4 . I have no longer TLS problems.
I can now reactivate Kaspersky.

Thanks again.
 
I have The Bat version 8.8.9 (64-bit), and TLS does not work because of this. The server is on cpanel, and the provider says Bat is trying to use old TLS version. I also tried to use command line parameter /TLS_VERSION_RANGE:3-3 but did not help.
What should I do to use TLS1.2?

I copy here the connection log:
Jan 14 14:16:44 atlas dovecot: pop3-login: Disconnected (no auth  attempts in 0 secs): user=<>, rip=80.99.35.150, lip=94.199.48.159,  TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL  routines:ssl3_get_client_hello:no shared cipher,  session=<Y8ZMZxmcechQYyOW>

Thanks.
 
Quote
Ferenc Halasz wrote:
TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL  routines:ssl3_get_client_hello:no shared cipher

This is probably the same problem reported in this thread.

For a successful handshake, the client and the server need to have at least one cypher in common. Some providers have recently switched to a suite of cyphers that only includes "GCM"-type cyphers. The Bat, in turn, only supports "CBC"-type cyphers.

There is no solution for this. It would be great (and wise) if your provider would offer at least one CBC-type cypher to its users, so that legacy email clients and devices can continue to safely exchange email with them too.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Thanks to @Daniel I found this thread.

I opened a bug report, and got no attention as well.

https://bt.ritlabs.com/view.php?id=1931

There were some helpful responses but the issue is with me or my email provider, not with TheBat!.

I am sure the developers are working on important issues but maybe something could be done.


Can you guys post your ticket numbers so we can comment and start getting some attention to this issue  :D .
 
(cross-posting this in several topics)

Rejoice, Batmen! Version 9.1, just released, offers support for TLS AEAD AES-GCM ciphers.

See: https://www.ritlabs.com/en/news/7332/
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
Pages: 1