-1

Good day,

I asked this question in the Network Engineers StackExchange and was told to ask it here.

I am running a roundup server (Ubuntu 12.04) and the roundup-mailgw (python script) is no longer able to pull email from MS Exchange to create the tickets in roundup. Mail flows from one point to another without issue, but I keep getting the error in the roundup logs connection reset by peer when the roundup-mailgw process runs to pull email from Exchange and it runs every 5 minutes.

Looking at a wireshark view of the packets, I am seeing the following:

677 2015-11-30 13:00:01.208619  IP1 IP2 TCP 74  35438→995 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=196418977 TSecr=0 WS=128
678 2015-11-30 13:00:01.209580  IP2 IP1 TCP 74  995→35438 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=47517378 TSecr=196418977
679 2015-11-30 13:00:01.209612  IP1 IP2 TCP 66  35438→995 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=196418977 TSecr=47517378
680 2015-11-30 13:00:01.209993  IP1 IP2 SSL 357 Client Hello
681 2015-11-30 13:00:01.215919  IP2 IP1 TCP 60  995→35438 [RST, ACK] Seq=1 Ack=292 Win=0 Len=0

Nothing has changed on the roundup server for a very long time. The certs do not expire for another 2 years and the only change that has been made was Exchange was patched and rebooted. There were no Exchange or IIS patches (owa). So, I'm no looking at the packets and have hit a roadblock. Any and all assistance would be greatly appreciated.

Sincerely, Lee

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
Lee
  • 1
  • 1
  • that nothing has changed on the roundup server is likely the problem, ssl versions have been deprecated, have you tried updating the ubuntu system? – Jim B Dec 01 '15 at 16:40
  • Jim B. Thank you for your reply. I may have mispoke. The Ubuntu system is patched and up to date. I should have said the "roundup" system's config files have not changed. Thank you for the clarification! – Lee Dec 01 '15 at 17:28

1 Answers1

2

The most obvious cause would be that you're trying to use a version of SSL/TLS that the server doesn't support. For example, did one of the Exchange patches disable SSLv3 and you're trying to negotiate an SSLv3 connection?

You can see what you're asking for in the "Client Hello" detail in Wireshark:

Secure Sockets Layer
   TLSv1 Record Layer: Handshake Protocol: Client Hello
      Content Type: Handshake (22)
      Version: TLS 1.0 (0x0301)
      Length: 149

You can then either examine the Windows registry to see what ciphers are enabled (see MSDN articles), or enable SChannel debugging on the Exchange side (as per https://support.microsoft.com/en-us/kb/260729 ) which should help narrow down SChannel errors.

The other option is a cipher mismatch; i.e., you're requesting a cipher suite that the server doesn't support - again, could a patch have disabled weaker ciphers that your roundup server is trying to use. Again, the "Client Hello" message contains a list of cipher suites that your endpoint supports - you'll need to compare this list to the ciphers enabled on the Windows server (or use SChannel logging to get the information).

Chris J
  • 1,218
  • 18
  • 32
  • Thank you for your reply. The first mention of Handshake Protocol for Client Hello is TLS 1.0 (0x0301). Then the next is TLS 1.2 (0x0303). I've looked for what Win Server 2012R2 uses and found it in this Technet article [technet](https://technet.microsoft.com/en-us/library/dn786419.aspx) and the cipher suites listed in the wireshark are listed in the technet article. While there are SChannel errors, they do not correspond to the times this process runs. – Lee Dec 01 '15 at 16:46
  • Chris, I have to retract that last statement. This process runs every 5 minutes on the hour. I'm seeing SChannel errors sporatically around those times. I do see one at 04:01:27 with an error "An TLS 1.2 conneciton request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed." But, would I not see these every 5 minutes or so? THere has only been this one today. At this time (almost noon EST) I should see 144 of these types of errors and I'm not. – Lee Dec 01 '15 at 16:55
  • Chris, again thank you for your reply. We found there is an issue with Windows Server 2012 R2 and how it handles TLS 1.2 and SHA512, which is what the roundup server is using. It was failing the handoff as we have seen above. However, even after "fixing" that issue, I have no solution. – Lee Dec 03 '15 at 15:29
  • Hi Lee, I don't have any more advice on this. SChannel logs have typically helped to resolve issues like this for me. I don't know what to pursue after this if you still have problems. – Chris J Dec 04 '15 at 13:38