Traceback `sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.XXX.de:25 -> "SMTP EHLO was rejected".`

paulmenzel commented 1 year ago

$ git describe
5.1.3
$ git log --oneline --no-decorate -1
fccf7f9 Bump version number
$ pip install .
[…]
$ sslyze --starttls=smtp mail.gw90.de:25
[…]
  * Error when running --sslv2:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: ssl_2_0_cipher_suites

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/implementation.py", line 124, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 54, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

The server is running Exim, and the (obfuscated) logs contain:

TLS error on connection from mx.example.net (sslyze.scan) [141.14.18.x]:60852 I=[10.10.10.2]:25 (gnutls_handshake): No supported cipher suites have been found. 
SMTP connection from mx.example.net (sslyze.scan) [141.14.18.x]:60852 I=[10.10.10.2]:25 closed by EOF 
no MAIL in SMTP connection from mx.example.net (sslyze.scan) [141.14.18.x]:60852 I=[10.10.10.2]:25 D=0.572s SNI=mail.gw90.de C=EHLO,STARTTLS

paulmenzel commented 1 year ago

Same problem with mailbox.alumni.tu-berlin.de also using Exim according to Nmap: ESMTP (exim-4.94).

nabla-c0d3 commented 1 year ago

Hello! Thanks for the bug report. I am not able to reproduce the issue tho; the server seems offline?

python -m  sslyze --starttls=smtp mail.gw90.de:25

 CHECKING CONNECTIVITY TO SERVER(S)
 ----------------------------------

   mail.gw90.de:25           => ERROR: Connection to the server timed out; discarding scan.

If you know of a server that is online and has the problem you reported, please reopen this issue with this information. Thanks!

paulmenzel commented 1 year ago

The server accepts connections on port 25. What IP did you use?

$ sslyze --starttls=smtp mail.gw90.de:25

 CHECKING CONNECTIVITY TO SERVER(S)
 ----------------------------------

   mail.gw90.de:25           => 144.76.186.21 

 SCAN RESULTS FOR MAIL.GW90.DE:25 - 144.76.186.21
 ------------------------------------------------

 * Error when running --certinfo:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: certificate_info

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/certificate_info/implementation.py", line 107, in result_for_completed_scan_jobs
    received_chain_as_pem, ocsp_response, custom_ca_file = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/certificate_info/_get_cert_chain.py", line 26, in get_certificate_chain
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * Error when running --sslv2:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: ssl_2_0_cipher_suites

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/implementation.py", line 124, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 54, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * Error when running --sslv3:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: ssl_3_0_cipher_suites

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/implementation.py", line 124, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 54, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * Error when running --tlsv1:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: tls_1_0_cipher_suites

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/implementation.py", line 124, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 54, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * Error when running --tlsv1_1:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: tls_1_1_cipher_suites

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/implementation.py", line 124, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 54, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * Error when running --tlsv1_2:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: tls_1_2_cipher_suites

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/implementation.py", line 124, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 54, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * TLS 1.3 Cipher Suites:
     Attempted to connect using 5 cipher suites.

     The server accepted the following 4 cipher suites:
        TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)
        TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)
        TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)
        TLS_AES_128_CCM_SHA256                            128       ECDH: X25519 (253 bits)

 * Deflate Compression:
                                          OK - Compression disabled

 * OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

 * Error when running --robot:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: robot

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/robot/implementation.py", line 101, in result_for_completed_scan_jobs
    server_responses_per_robot_payloads = future.get_result()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/robot/_robot_tester.py", line 171, in test_robot
    rsa_params = _get_rsa_parameters(server_info, tls_version_to_use, cipher_string)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/robot/_robot_tester.py", line 243, in _get_rsa_parameters
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 * Session Renegotiation:
       Client Renegotiation DoS Attack:   OK - Not vulnerable
       Secure Renegotiation:              OK - Supported

 * Error when running --elliptic_curves:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.3
       * Server: mail.gw90.de:25 - 144.76.186.21
       * Scan command: elliptic_curves

       Traceback (most recent call last):
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/elliptic_curves_plugin.py", line 169, in result_for_completed_scan_jobs
    all_ecdh_results = [scan_job.get_result() for scan_job in scan_job_results]
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/elliptic_curves_plugin.py", line 169, in <listcomp>
    all_ecdh_results = [scan_job.get_result() for scan_job in scan_job_results]
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/plugins/elliptic_curves_plugin.py", line 213, in _test_curve
    ssl_connection.connect()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 258, in connect
    self._do_pre_handshake()
         File "/home/pmenzel/.local/lib/python3.10/site-packages/sslyze/connection_helpers/tls_connection.py", line 239, in _do_pre_handshake
    raise ServerRejectedOpportunisticTlsNegotiation(
       sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.gw90.de:25 -> "SMTP EHLO was rejected".

 SCANS COMPLETED IN 12.6942 S
 ----------------------------

 COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
 --------------------------------------------

    Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.

    mail.gw90.de:25: ERROR - Scan did not run successfully; review the scan logs above.

nabla-c0d3 commented 1 year ago

I can't connect when using the domain:

python -m sslyze --starttls=smtp mail.gw90.de:25

 CHECKING CONNECTIVITY TO SERVER(S)
 ----------------------------------

   mail.gw90.de:25           => ERROR: Connection to the server timed out; discarding scan.

 SCANS COMPLETED IN 5.17535 S

And also when using the IP:

python -m sslyze --starttls=smtp 144.76.186.21:25

 CHECKING CONNECTIVITY TO SERVER(S)
 ----------------------------------

   144.76.186.21:25          => ERROR: Connection to the server timed out; discarding scan.

 SCANS COMPLETED IN 5.17718 S

paulmenzel commented 1 year ago

I meant your IP address, so I can check, if I see anything in my log files.

nabla-c0d3 / sslyze

Traceback `sslyze.errors.ServerRejectedOpportunisticTlsNegotiation: mail.XXX.de:25 -> "SMTP EHLO was rejected".` #606