[Noisebridge-discuss] discussion list censorship....

Andy Isaacson adi at hexapodia.org
Wed Jan 26 20:37:01 PST 2011


On Wed, Jan 26, 2011 at 08:06:57PM -0800, Andy Isaacson wrote:
> On Wed, Jan 26, 2011 at 08:00:31PM -0800, Andy Isaacson wrote:
> > On Wed, Jan 26, 2011 at 06:37:43PM -0800, Shannon Lee wrote:
> > > there is no censorship of noisebridge-discuss; everything that gets sent to
> > > noisebridge-discuss by a subscriber to noisebridge-discuss gets posted to
> > > the list.  unfortunately.
> > > 
> > > if there is a technical problem that is preventing people from posting,
> > > please let someone (like a board member, or andy, or even me) know (if you
> > > can't post it to the list).
> > 
> > Indeed.  I'll also respond (though with very high latency) to messages
> > prefixed with "radii:" on #noisebridge on Freenode IRC, or you can leave
> > a message with noisebot.
> 
> Oh mega fucking lulz.
> 
> Jan 26 19:59:42 m1 postfix/smtpd[16654]: connect from mail-qw0-f45.google.com[209.85.216.45]
> Jan 26 19:59:42 m1 postfix/smtpd[16654]: SSL_accept error from mail-qw0-f45.google.com[209.85.216.45]: -1
> Jan 26 19:59:42 m1 postfix/smtpd[16654]: warning: TLS library problem: 16654:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1023:
> Jan 26 19:59:42 m1 postfix/smtpd[16654]: lost connection after STARTTLS from mail-qw0-f45.google.com[209.85.216.45]
> Jan 26 19:59:42 m1 postfix/smtpd[16654]: disconnect from mail-qw0-f45.google.com[209.85.216.45]
> 
> Our current config is:
> 
> smtpd_tls_exclude_ciphers = aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA
> 
> Anybody fancy debugging a SSL handshake via tcpdump to figure out which
> ciphers GMail supports?
> 
> FWIW, we turned on STARTTLS on December 11.

smtpd_tls_loglevel = 2 to the rescue.  (No thanks to the TLS designers
who gave the server no way of probing what the client accepts other than
brute force.)

GMail will give up if it can't use either RC4-SHA or DES-CBC3-SHA; they
won't negotiate any AES256 or SHA-2 modes.  I'll leave RC4-SHA enabled
for the time being and try to get GMail to move their crypto suite into
the current decade.

(Apparently gmail eventually falls back to a small number of outbound
SMTP servers that don't do STARTTLS at all, which is why the messages
were making it through with a delay, and is also a completely hilarious
security vulnerability of its own.)

-andy


More information about the Noisebridge-discuss mailing list