Pages: 1
RSS
The Bat version 6.8.8 - POP3 problem, Which ciphers does version 6.8.8 use?
 
Hello all,

I'm wondering if someone can help me with this.
I've searched the forums but I cant find any information.

I have just joined a new email provider and I cannot send or receive email by using POP3 or send with SMTP.
When I receive I get this error showing in the log:
FETCH - receiving mail messagesFETCH - Connecting to POP3 server **** on port 995
FETCH - Initiating TLS handshake
FETCH - Server reports TLS error: Handshake failure.
FETCH - TLS handshake failure. Connect failed

When sending I get this error:
SEND  - sending mail message(s) - 1 message(s) in queueSEND  - Connecting to SMTP server **** on port 465
SEND  - Initiating TLS handshake
SEND  - Server reports TLS error: Handshake failure.
SEND  - TLS handshake failure. Connect failed

I have checked all the POP3 and SMTP Authentication Settings and even according to the provider they are all set ok.
The provider has now said that The Bat! version 6.8.8 (which is what I am using) should be able to use one of the following ciphers:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  256 bits (ECDHE 256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  256 bits (ECDHE 256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  256 bits (ECDHE 256 bits)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  128 bits (ECDHE 256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  128 bits (ECDHE 256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  128 bits (ECDHE 256 bits)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384  256 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  256 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA  256 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  256 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  128 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  128 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA  128 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_SEED_CBC_SHA  128 bits (DHE 2048 bits)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  128 bits (DHE 2048 bits)
TLS_RSA_WITH_AES_256_GCM_SHA384  256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256  256 bits
TLS_RSA_WITH_AES_256_CBC_SHA  256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA  256 bits
TLS_RSA_WITH_AES_128_GCM_SHA256  128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256  128 bits
TLS_RSA_WITH_AES_128_CBC_SHA  128 bits
TLS_RSA_WITH_SEED_CBC_SHA  128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA  128 bits


So my question is...
Does The Bat! version 6.8.8 support any of these ciphers and if not, then what ones does it support and where can I find this information?


Any help would be much appreciated.



Dan
 
The Bat has added many cipher suites over the course of v7.x and v8.x, so my first suggestion would be to upgrade to the latest version supported by your license and see if it works, or to the current release (if you don't mind paying for an upgrade) as it looks like that will definitely support your provider's encryption methods.

In the announcement of The Bat! v8.5.8 which introduced TLS v1.2 support, Ritlabs listed these cipher suites specifically as supported:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (*)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (*)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (*)
TLS_RSA_WITH_AES_256_CBC_SHA256 (*)
TLS_RSA_WITH_AES_128_CBC_SHA256 (*)
TLS_RSA_WITH_AES_256_CBC_SHA (*)
TLS_RSA_WITH_AES_128_CBC_SHA (*)
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5

(*) also on your provider's list.

ps: For a full revision history of The Bat!, see here.
For a Google search for "TLS" within the revision history, click here.
Edited: Daniel van Rooijen - 19 August 2018 03:03:54
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Hello Daniel,

Thank you for taking the time to read and reply to my question.

I have actually seen that list of cipher suites that v8.5.8 supports and I'm aware that upgrading might solve the problem. I would have to purchase a v8.5.8 licence because my version of 6.8.8 was only available to upgrade up to v6.9, not even v7.0.

I'm not actually averse to paying for an up to date version, and I was considering doing so even before this problem arose, but I don't see much benefit in doing so until I have figured out why v6.8.8 is not functioning with this particular email provider.

I may be strange, or just curious, but if v6.8.8 is missing a particular cipher I would like to know about this before I decide to upgrade, or whatever I have to do to get functionality with this email provider.
I do like to know how and why something broke or won't work and how it subsequently got fixed.
I think their support guy is wondering too.

So really, I would still like to know what cipher suites The Bat! v6.8.8 supports and therefore, I would graciously like to ask 'part of' the question again.

What cipher suites does The Bat! 6.6.8 support?

Thank you

Dan
 
Quote
I'm not actually averse to paying for an up to date version, and I was considering doing so even before this problem arose, but I don't see much benefit in doing so until I have figured out why v6.8.8 is not functioning with this particular email provider.

You could try a packet analyzer like Wireshark (free software) to see the actual exchange between your provider and The Bat.

Quote
[..] if v6.8.8 is missing a particular cipher I would like to know about this before I decide to upgrade, or whatever I have to do to get functionality with this email provider.

I suspect that the real problem is that your provider is enforcing TLS v1.2 compatibility, which was only recently added to The Bat. If that's true, older versions of The Bat won't be able to connect regardless of what cipher types they support. Many providers are currently moving up to TLS v1.2 to remain compliant with PCI (Payment Card Industry) security standards.

Quote
So really, I would still like to know what cipher suites The Bat! v6.8.8 supports and therefore, I would graciously like to ask 'part of' the question again.

I don't think Ritlabs has ever published that information. Have you asked Support?
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Hello Daniel,

Thank you for getting back to me with your thoughts and advice.

I will try and see if I can get some information from Wireshark. It will be a something new for me to learn.

I have also asked Ritlabs Support if they might be able to tell me which cipher suites are used in v6.8.8.
I'll wait for Ritlabs support and see what they have to say. I have found them to be very knowledgable and helpful in the past.

I think you might well be correct on the TLS v1.2 and the email provider that I am trying to use.

The provider seems to be quite proud of their approach to security so maybe this is what is causing my issue.Therefore, after reading your comment, I have asked the provider if they are using TLS v1.2 and I am going to have to wait for their reply.
They do also seem to be quite on the ball with their technical knowledge.

So, I shall be waiting until I get further information.

Thank you again for your input.

Dan
 
This issue has been solved and explained by Ritlabs Support.

For anyone who is interested, it turns out that The Bat! v6.8.8 does not support Elliptic Curves or Perfect Forward Secrecy and it was this that was causing the connection issue.
These functions were implemented in The Bat! v7.3.2.

The Bat! would connect to the email server without the need to use TLS 1.2.
However, without PFS enabled, it would not connect.

This is a valid reason to purchase an upgrade to the latest version of The Bat!

For the curious among you... the email provider that this issue related to was Posteo.de.

Thank you to Daniel for your thoughts and suggestions (I did try your Wireshark idea, but it didn't reveal anything obvious to me)
and to Ritlabs Support who were very, erm, supportive and prompt in solving this issue. I don't think I'm supposed to mention names here, but the dude at support knows who he is.

Thanks

Dan
 
As a final addition to this post.


The email provider has confirmed to me that they are currently using TLS 1.2 and that an upgrade of The Bat! would be needed in order to connect to their servers.


I had already bought an updated version of The Bat! previous to this confirmation and that had already fixed the issue.
 
Thanks for letting the forum know how it all ended. Glad to see that you've got it all working now.  I'm also very glad that when TLS v1.2 was threatening to become a problem for many of us, Ritlabs acted swiftly to make The Bat (finally :)) support it!
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
Pages: 1