Results 1 to 4 of 4

Thread: KOE Extension fails if TLSv1 is disabled on web server

  1. #1
    Junior Member
    Join Date
    Apr 2014
    Posts
    28

    KOE Extension fails if TLSv1 is disabled on web server

    After a recent "hardening tour" on my web server used for z-push, I noticed that the KOE extension failed to connect.

    Mail, Calendar and Contact synchronization still worked fine, but none of the KOE features appeared to work.
    The KOE log has been showing the following exception whenever an attempt was made to use KOE.

    Code:
    2017/01/13 08:01:52.693 (1,VSTA_Main): Error: SharedFolders: Exception in task SharedFolders: System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
       at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
       at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
       at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---
       --- End of inner exception stack trace ---
       at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       at System.Threading.Tasks.Task`1.get_Result()
       at Acacia.ZPush.Connect.ZPushConnection.Execute(String url, RequestEncoder request)
       at Acacia.ZPush.Connect.ZPushWebService.Execute[ResponseType](SoapRequest`1 request)
       at Acacia.ZPush.API.SharedFolders.SharedFoldersAPI.GetCurrentShares(Nullable`1 cancel)
       at Acacia.Features.SharedFolders.FeatureSharedFolders.AdditionalFolders_Sync(ZPushConnection connection)
       at Acacia.ZPush.ZPushSync.SyncTask.<>c__DisplayClass5_0.<GetInstance>b__0()
       at Acacia.Utils.AcaciaTask.Execute()
    ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
       at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
       at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
       at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---<---
    Nothing has been logged on the server (not even at the web-server level).

    I am using z-push2.3.4+0 on apache2.4 with fpm-php5 and zarafa 7.2.4 as the backend, and KOE 1.3.109 with Outlook 2013

    The good news is that I have been able to track this down to my disabling of the TLSv1 protocol on apache. As soon as I re-enabled this for the virtual site used by z-push, things worked fine again.

    I thought I'd share this with the community in case somebody else runs into the issue. May I suggest that you put this somewhere on the KOE installation guide or troubleshooting wiki page. Ideally, KOE should be made to use the newer TLSv1.1 or TLSv1.2 protocols (I will have a look if I can provide a patch for that). Apparently Outlook 2013 is happy to use one of these as email was still working.

    cheers,
    Andre

    I
    IT Professional
    Zarafa 7.2.5 RC
    Z-Push 2.3.4, Outlook 2013/2016, Webapp 3.2.0

  2. #2
    Zarafa

    Join Date
    Jan 2009
    Location
    Hanover, Germany
    Posts
    1,867
    Hi Andre,

    thanks for you report. I have created the issue https://jira.kopano.io/browse/KOE-62 for this. If you are willing to provide a patch we'll be more than happy to review and (if ok) merge it. Can you provide the exact SSLCipherSuite combo that you have used (I just c&p'ed one from the internet for the ticket)?

    I will anyway bring it up with the developer in the next week.
    Regards Felix

    How to get Kopano

    Zarafa ALPHA/BETA/RC feedback in BETA forum please.
    Zarafa IRC chat: irc.freenode.com > #zarafa
    Zarafa documentation: http://documentation.zarafa.com/

    No support via PM! Please contact our sales team for an offer if you want my full attention.

  3. #3
    Junior Member
    Join Date
    Apr 2014
    Posts
    28
    Hi Felix,

    I won't have time in the short term to fully test a patch.
    According to .NET framework documentation, it would be sufficient to add something like
    Code:
    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;
    to the code, before any attempt to connect is being made.
    From what I read, the default for .NET Framework 4.5 (which you appear to have been using) is still TLSv1. The above should extend that to the newer TLS versions. It is ok to still keep TLSv1 (the simple Tls constant) in the list, as the client will apparently negotiate the highest version available on the server.

    Actually, my apache configuration change was not about restricting SSL Cipher (this is still apache 2.4 default), but simply about the SSLProtocol directive. By default (or when that directive is not set at all), the following applies
    Code:
    SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
    As both SSLv3 and TLSv1 are known to be pretty flawed, I wanted to disable them by setting:
    Code:
    SSLProtocol +TLSv1.1 +TLSv1.2
    That's when KOE failed.
    As it wasn't immediately apparent (z-push sync still worked), it took some time for me to detect this.
    Setting it back to:
    Code:
    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
    fixed things.

    I think supported SSL Ciphers are more a matter of what is supported by Windows and the .NET Framework in general. As long as there is a common ground between the used .NET Framework and the apache web server, things should be fine. That doesn't mean that I won't look into restricting SSL Ciphers later on, but I haven't yet got to that point.

    Andre
    IT Professional
    Zarafa 7.2.5 RC
    Z-Push 2.3.4, Outlook 2013/2016, Webapp 3.2.0

  4. #4
    Zarafa

    Join Date
    Jan 2009
    Location
    Hanover, Germany
    Posts
    1,867
    Hi Andre,

    I don't know .net myself so I cannot comment on this, but it sounds reasonable to me.
    Regards Felix

    How to get Kopano

    Zarafa ALPHA/BETA/RC feedback in BETA forum please.
    Zarafa IRC chat: irc.freenode.com > #zarafa
    Zarafa documentation: http://documentation.zarafa.com/

    No support via PM! Please contact our sales team for an offer if you want my full attention.

Similar Threads

  1. Replies: 1
    Last Post: 07-05-2015, 09:00 AM
  2. Attachements preview disabled
    By andy73 in forum WebApp
    Replies: 4
    Last Post: 17-10-2014, 10:39 AM
  3. Account disabled
    By in2zarafa in forum Installation and Configuration Archives
    Replies: 2
    Last Post: 26-01-2010, 01:43 PM
  4. Upgrade 5.25 - to 6.30 FAILS at startup of zarafa-server
    By Jingle in forum Installation and Configuration Archives
    Replies: 1
    Last Post: 29-09-2009, 03:59 PM
  5. zarafa-server fails to start
    By iraqigeek in forum Installation and Configuration Archives
    Replies: 4
    Last Post: 24-08-2009, 02:37 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •