TLSv1.2

Beginner

Posts: 5 Points: 2 Rating: 8 Authority: 8 Joined: 22 May 2015

2.9455

01 April 2018 04:13:40

I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.

!01/04/2018, 01:54:20: SEND - TLS handshake failure. An existing connection was forcibly closed by the remote host

So I raised a ticket with the host. They eventually tracked the problem down.

Quote
The issue is that your mail clients do not support TLSv1.2 which is the currently recommended protocol to use as all others have vulnerabilities. You may wish to monitor the authors site for future support of this as PCI compliance prohibits the use of TLS v1.0 and shortly v1.1 on servers.

They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.

But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2. Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2. Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.

I'm a bit upset at this.

Is it due to be implemented any time soon?

david kirk Guru Posts: 415 Points: 748 Rating: 888 Authority: 853 Joined: 11 February 2017	#2 0 01 April 2018 15:12:51 Good question, especially since TLS 1.3 has been recently approved... https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/ I don't know if you'll get an answer on the forum; you may need to file a ticket with tech support. I agree, the upgrade is needed. david

Daniel van Rooijen Administrator Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003	#3 0 01 April 2018 15:13:30 Hopefully they will make TLS v1.2 a priority! I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

Douglas Paulley Beginner Posts: 5 Points: 2 Rating: 8 Authority: 8 Joined: 22 May 2015	#4 0 02 April 2018 13:17:01 Thank you both. I have put in a ticket. Having got my host to temporarily relax to accept TLSv1.1, I'm now getting certificate name mismatch errors as a result of The Bat's failure to use SNI. SNI has also been around for over 10 years and is in increasing use, especially due to the IPv4 exhaustion. I wish The Bat offered SNI. I've added that to the ticket too.

Douglas Paulley Beginner Posts: 5 Points: 2 Rating: 8 Authority: 8 Joined: 22 May 2015	#5 0 02 April 2018 14:08:40 Ah. It's a cPanel/WHM host, and cPanel's documentation now states "We only support applications that use TLSv1.2, such as IMAP, POP, FTP, and SMTP." cPanel is used by a very lot of hosts. More reason for The Bat to support it

Daniel van Rooijen

Administrator

Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003

03 April 2018 01:26:24

I hadn't heard of SNI before, but fr om what I understand, it allows a server to present multiple certificates.

I wonder if the lack of SNI-support that you mention also explains the situation in this other topic, wh ere The Bat wouldn't connect to a mailserver that offered two certificates.

I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

Douglas Paulley

Beginner

Posts: 5 Points: 2 Rating: 8 Authority: 8 Joined: 22 May 2015

05 April 2018 19:52:02

A response from the software developers.

Quote
Indeed, currently The Bat! does not support TLS 1.2, unfortunately. At this point we have no fixed time frame for implementing TLS 1.2.

Daniel van Rooijen Administrator Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003	#8 0 06 April 2018 13:39:02 That doesn't sound reassuring at all.. it would be pretty bad if hosts begin to enforce TLS 1.2+ and SNI soon and my favorite email client doesn't support it! I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

Richard Andersen User Posts: 18 Points: 26 Rating: 6 Authority: 6 Joined: 06 April 2009	#9 0 27 May 2018 01:08:09 I think this should have first priority, TheBat has enough features already and more and more hosts shift to TLS1.2. I'm having problems with several of my hosts now that they have upgraded. I'm writing software myself which connects to different hosts and I've also had to upgrade it to TLS1.2 because the hosts started doing it.

Maxim Masiutin Guru Posts: 644 Points: 1158 Rating: 23 Authority: 23 Joined: 09 September 2003	#10 0 15 June 2018 20:18:04 Ritlabs will release a new version of The Bat! in a few days with SNI support.

Daniel van Rooijen Administrator Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003	#11 0 22 June 2018 14:22:02 The Bat v8.4 was just announced and if I read the new features correctly, it supports SNI as well as TLS 1.2 ! https://www.ritlabs.com/en/products/thebat/revision-history/7121/ I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

david kirk Guru Posts: 415 Points: 748 Rating: 888 Authority: 853 Joined: 11 February 2017	#12 0 22 June 2018 15:29:51 It also supports HTML styling, which seriously raises the bar on HTML email, and includes support for block quotes, which was a topic in a recent post. I'm very impressed with the new release. david

BW7RA Stein

User

Posts: 1 Rating: 0 Authority: 0 Joined: 07 July 2014

#13

25 June 2018 21:08:04

Quote

I just switched web hosting platforms and they too said that the 'ciphers' in The Bat were outdated. I had to beg them to relax security so I could get my email accounts to work. This MUST get fixed pretty soon or I'll be forced to dropThe Bat; I've been using it forever! Douglas Paulley wrote:
I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.

!01/04/2018, 01:54:20: SEND - TLS handshake failure. An existing connection was forcibly closed by the remote host

So I raised a ticket with the host. They eventually tracked the problem down.

Quote
The issue is that your mail clients do not support TLSv1.2 which is the currently recommended protocol to use as all others have vulnerabilities. You may wish to monitor the authors site for future support of this as PCI compliance prohibits the use of TLS v1.0 and shortly v1.1 on servers.

Daniel van Rooijen

Administrator

Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003

#14

25 June 2018 22:03:55

Quote
I just switched web hosting platforms and they too said that the 'ciphers' in The Bat were outdated. I had to beg them to relax security so I could get my email accounts to work. This MUST get fixed pretty soon or I'll be forced to dropThe Bat; I've been using it forever!

Did you upgrade The Bat to the current release, v8.4? If so, TLS 1.2 should work.

I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

Daniel van Rooijen

Administrator

Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003

#15

27 June 2018 19:39:51

Quote
Daniel van Rooijen wrote: Did you upgrade The Bat to the current release, v8.4? If so, TLS 1.2 should work.

Make that v8.5 (just released) -- the "what's new" of v8.4 hinted at TLS 1.2 support, but it was only just officially announced with v8.5:

New features

TLS 1.2. The following cipher suites are supported:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_MD5

I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

D Y User Posts: 18 Points: 14 Rating: 1 Authority: 1 Joined: 08 April 2011	#16 0 28 June 2018 19:58:09 FWIW, after "upgrading" to 8.5 TheBat! stopped sending messages to my office365 account due to TLS failure. Had to go back to 8.4 to fix that.

Maxim Masiutin

Guru

Posts: 644 Points: 1158 Rating: 23 Authority: 23 Joined: 09 September 2003

#17

04 July 2018 23:55:19

You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.

Bertrand Yvers

Beginner

Posts: 9 Points: 5 Rating: 0 Authority: 0 Joined: 01 July 2018

#18

05 July 2018 10:55:14

Quote

Maxim Masiutin wrote:
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.

Hello,

It works well with The Bat! 8.5.4 . I have no longer TLS problems.
I can now reactivate Kaspersky.

Thanks again.

Ferenc Halasz

Beginner

Posts: 4 Points: 2 Rating: 0 Authority: 0 Joined: 14 January 2020

#19

14 January 2020 16:05:08

I have The Bat version 8.8.9 (64-bit), and TLS does not work because of this. The server is on cpanel, and the provider says Bat is trying to use old TLS version. I also tried to use command line parameter /TLS_VERSION_RANGE:3-3 but did not help.
What should I do to use TLS1.2?

I copy here the connection log:
Jan 14 14:16:44 atlas dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.99.35.150, lip=94.199.48.159, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<Y8ZMZxmcechQYyOW>

Thanks.

Daniel van Rooijen

Administrator

Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003

#20

14 January 2020 21:37:48

Quote
Ferenc Halasz wrote: TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

This is probably the same problem reported in this thread.

For a successful handshake, the client and the server need to have at least one cypher in common. Some providers have recently switched to a suite of cyphers that only includes "GCM"-type cyphers. The Bat, in turn, only supports "CBC"-type cyphers.

There is no solution for this. It would be great (and wise) if your provider would offer at least one CBC-type cypher to its users, so that legacy email clients and devices can continue to safely exchange email with them too.

I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

Ivan Kovalski

User

Posts: 19 Points: 27 Rating: 13 Authority: 12 Joined: 28 May 2015

#21

20 February 2020 21:51:58

Thanks to @Daniel I found this thread.

I opened a bug report, and got no attention as well.

https://bt.ritlabs.com/view.php?id=1931

There were some helpful responses but the issue is with me or my email provider, not with TheBat!.

I am sure the developers are working on important issues but maybe something could be done.

Can you guys post your ticket numbers so we can comment and start getting some attention to this issue

Daniel van Rooijen Administrator Posts: 1465 Points: 4400 Rating: 5708 Authority: 5516 Joined: 04 September 2003	#22 0 02 March 2020 18:55:26 (cross-posting this in several topics) Rejoice, Batmen! Version 9.1, just released, offers support for TLS AEAD AES-GCM ciphers. See: https://www.ritlabs.com/en/news/7332/ I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.

Products

Support

News

Company

Community