www.ritlabs.com [Topic: TLSv1.2]

TLSv1.2

Mon, 02 Mar 2020 18:55:26 +0200

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
(cross-posting this in several topics)

Rejoice, Batmen! Version 9.1, just released, offers support for TLS AEAD AES-GCM ciphers.

See: https://www.ritlabs.com/en/news/7332/
02 March 2020 18:55:26, Daniel van Rooijen.

TLSv1.2

Thu, 20 Feb 2020 21:51:58 +0200

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
Thanks to @Daniel I found this thread.

I opened a bug report, and got no attention as well.

https://bt.ritlabs.com/view.php?id=1931

There were some helpful responses but the issue is with me or my email provider, not with TheBat!.

I am sure the developers are working on important issues but maybe something could be done.

Can you guys post your ticket numbers so we can comment and start getting some attention to this issue .
20 February 2020 21:51:58, Ivan Kovalski.

TLSv1.2

Tue, 14 Jan 2020 21:37:48 +0200

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.

====quote====
Ferenc Halasz wrote:
TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
=============

This is probably the same problem reported in this thread.

For a successful handshake, the client and the server need to have at least one cypher in common. Some providers have recently switched to a suite of cyphers that only includes "GCM"-type cyphers. The Bat, in turn, only supports "CBC"-type cyphers.

There is no solution for this. It would be great (and wise) if your provider would offer at least one CBC-type cypher to its users, so that legacy email clients and devices can continue to safely exchange email with them too.
14 January 2020 21:37:48, Daniel van Rooijen.

TLSv1.2

Tue, 14 Jan 2020 16:05:08 +0200

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
I have The Bat version 8.8.9 (64-bit), and TLS does not work because of this. The server is on cpanel, and the provider says Bat is trying to use old TLS version. I also tried to use command line parameter /TLS_VERSION_RANGE:3-3 but did not help.
What should I do to use TLS1.2?

I copy here the connection log:
Jan 14 14:16:44 atlas dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.99.35.150, lip=94.199.48.159, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=

Thanks.
14 January 2020 16:05:08, Ferenc Halasz.

TLSv1.2

Thu, 05 Jul 2018 10:55:14 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.

====quote====
Maxim Masiutin wrote:
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
=============
Hello,

It works well with The Bat! 8.5.4 . I have no longer TLS problems.
I can now reactivate Kaspersky.

Thanks again.
05 July 2018 10:55:14, Bertrand Yvers.

TLSv1.2

Wed, 04 Jul 2018 23:55:19 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
04 July 2018 23:55:19, Maxim Masiutin.

TLSv1.2

Thu, 28 Jun 2018 19:58:09 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
FWIW, after "upgrading" to 8.5 TheBat! stopped sending messages to my office365 account due to TLS failure. Had to go back to 8.4 to fix that.
28 June 2018 19:58:09, D Y.

TLSv1.2

Wed, 27 Jun 2018 19:39:51 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.

====quote====
Daniel van Rooijen wrote:
Did you upgrade The Bat to the current release, v8.4? If so, TLS 1.2 should work.
=============

Make that v8.5 (just released) -- the "what's new" of v8.4 hinted at TLS 1.2 support, but it was only just officially announced with v8.5:

New features

TLS 1.2. The following cipher suites are supported:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_MD5
27 June 2018 19:39:51, Daniel van Rooijen.

TLSv1.2

Mon, 25 Jun 2018 22:03:55 +0300

TLSv1.2

Mon, 25 Jun 2018 21:08:04 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.

====quote====
I just switched web hosting platforms and they too said that the 'ciphers' in The Bat were outdated. I had to beg them to relax security so I could get my email accounts to work. This MUST get fixed pretty soon or I'll be forced to dropThe Bat; I've been using it forever! Douglas Paulley wrote:
I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.

!01/04/2018, 01:54:20: SEND - TLS handshake failure. An existing connection was forcibly closed by the remote host

So I raised a ticket with the host. They eventually tracked the problem down.

====quote====
The issue is that your mail clients do not support TLSv1.2 which is the currently recommended protocol to use as all others have vulnerabilities. You may wish to monitor the authors site for future support of this as PCI compliance prohibits the use of TLS v1.0 and shortly v1.1 on servers.
=============
They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.

But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2. Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2. Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.

I'm a bit upset at this.

Is it due to be implemented any time soon?
=============

25 June 2018 21:08:04, BW7RA Stein.

TLSv1.2

Fri, 22 Jun 2018 15:29:51 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
It also supports HTML styling, which seriously raises the bar on HTML email, and includes support for block quotes, which was a topic in a recent post. I'm very impressed with the new release.

david
22 June 2018 15:29:51, david kirk.

TLSv1.2

Fri, 22 Jun 2018 14:22:02 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
The Bat v8.4 was just announced and if I read the new features correctly, it supports SNI as well as TLS 1.2 !

https://www.ritlabs.com/en/products/thebat/revision-history/7121/
22 June 2018 14:22:02, Daniel van Rooijen.

TLSv1.2

Fri, 15 Jun 2018 20:18:04 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
Ritlabs will release a new version of The Bat! in a few days with SNI support.
15 June 2018 20:18:04, Maxim Masiutin.

TLSv1.2

Sun, 27 May 2018 01:08:09 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
I think this should have first priority, TheBat has enough features already and more and more hosts shift to TLS1.2. I'm having problems with several of my hosts now that they have upgraded.

I'm writing software myself which connects to different hosts and I've also had to upgrade it to TLS1.2 because the hosts started doing it.

27 May 2018 01:08:09, Richard Andersen.

TLSv1.2

Fri, 06 Apr 2018 13:39:02 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
That doesn't sound reassuring at all.. it would be pretty bad if hosts begin to enforce TLS 1.2+ and SNI soon and my favorite email client doesn't support it!
06 April 2018 13:39:02, Daniel van Rooijen.

TLSv1.2

Thu, 05 Apr 2018 19:52:02 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
A response from the software developers.
====quote====
Indeed, currently The Bat! does not support TLS 1.2, unfortunately. At this point we have no fixed time frame for implementing TLS 1.2.
=============

05 April 2018 19:52:02, Douglas Paulley.

TLSv1.2

Tue, 03 Apr 2018 01:26:24 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
I hadn't heard of SNI before, but fr om what I understand, it allows a server to present multiple certificates.

I wonder if the lack of SNI-support that you mention also explains the situation in this other topic, wh ere The Bat wouldn't connect to a mailserver that offered two certificates.
03 April 2018 01:26:24, Daniel van Rooijen.

TLSv1.2

Mon, 02 Apr 2018 14:08:40 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
Ah. It's a cPanel/WHM host, and cPanel's documentation now states

"We only support applications that use TLSv1.2, such as IMAP, POP, FTP, and SMTP."

cPanel is used by a very lot of hosts. More reason for The Bat to support it
02 April 2018 14:08:40, Douglas Paulley.

TLSv1.2

Mon, 02 Apr 2018 13:17:01 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
Thank you both. I have put in a ticket.

Having got my host to temporarily relax to accept TLSv1.1, I'm now getting certificate name mismatch errors as a result of The Bat's failure to use SNI. SNI has also been around for over 10 years and is in increasing use, especially due to the IPv4 exhaustion. I wish The Bat offered SNI.

I've added that to the ticket too.
02 April 2018 13:17:01, Douglas Paulley.

TLSv1.2

Sun, 01 Apr 2018 15:13:30 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
Hopefully they will make TLS v1.2 a priority!
01 April 2018 15:13:30, Daniel van Rooijen.

TLSv1.2

Sun, 01 Apr 2018 15:12:51 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
Good question, especially since TLS 1.3 has been recently approved... https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/ I don't know if you'll get an answer on the forum; you may need to file a ticket with tech support. I agree, the upgrade is needed.
david
01 April 2018 15:12:51, david kirk.

TLSv1.2

Sun, 01 Apr 2018 04:13:40 +0300

TLSv1.2 in forum The Bat! - Configuring the E-mail Client.
I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.

!01/04/2018, 01:54:20: SEND - TLS handshake failure. An existing connection was forcibly closed by the remote host

So I raised a ticket with the host. They eventually tracked the problem down.

====quote====
The issue is that your mail clients do not support TLSv1.2 which is the currently recommended protocol to use as all others have vulnerabilities. You may wish to monitor the authors site for future support of this as PCI compliance prohibits the use of TLS v1.0 and shortly v1.1 on servers.

=============
They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.

But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2. Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2. Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.

I'm a bit upset at this.

Is it due to be implemented any time soon?
01 April 2018 04:13:40, Douglas Paulley.