Re: openssl 1.0.0 issue with sendmail

Sat, 12 Jun 2010 14:05:41 -0700 

Thank you very much for the reply.
I'm using a new certificate, but initially I used the old one. I've replace it because I thought that might be the problem. At this happens on people's laptops, so I can't perform much tests 
as they are not usually available.
I can only show the logs from my client to the server That I previously collected: 


--------------------------------------------------------------------
log outllok 2003


2010.06.05 13:59:50 <<<< Logging Started (level is LTF_TRACE) >>>>
2010.06.05 13:59:50 pop.mydomain: Synch operation started (flags = 00000001)
2010.06.05 13:59:50 pop.mydomain: UploadItems: 2 messages to send
2010.06.05 13:59:50 SMTP (mail.mydomain): Begin execution
2010.06.05 13:59:50 SMTP (mail.mydomain): Port: 25, Secure: TLS, SPA: no
2010.06.05 13:59:50 SMTP (mail.mydomain): Finding host
2010.06.05 13:59:50 SMTP (mail.mydomain): Connecting to host
2010.06.05 13:59:50 SMTP (mail.mydomain): Connected to host

2010.06.05 13:59:50 pop.di.ubi.pt: Synch operation started (flags = 
00000030)
2010.06.05 13:59:50 SMTP (mail.mydomain): <rx> 220 neve.di.ubi.pt ESMTP 
Sendmail 8.14.3/8.14.3; Sat, 5 Jun 2010 14:00:41 +0100

2010.06.05 13:59:50 SMTP (mail.mydomain): [tx] EHLO ss1

2010.06.05 13:59:50 SMTP (mail.mydomain): <rx> 250-neve.di.ubi.pt Hello 
[10.0.0.252], pleased to meet you

2010.06.05 13:59:50 SMTP (mail.mydomain): <rx> 250-ENHANCEDSTATUSCODES
2010.06.05 13:59:50 SMTP (mail.mydomain): <rx> 250-PIPELINING
2010.06.05 13:59:50 SMTP (mail.mydomain): <rx> 250-8BITMIME
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 250-SIZE 20240000
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 250-DSN
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 250-ETRN
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 250-STARTTLS
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 250-DELIVERBY
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 250 HELP
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): Securing connection
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): [tx] STARTTLS
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 220 2.0.0 Ready to start TLS
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): Securing connection

2010.06.05 13:59:50 pop.di.ubi.pt: DoPOPDownload(flags = 00000030, max msg = 
ffffffff): full items

2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): Connected to host
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): [tx] EHLO ss1

2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): <rx> 220 neve.di.ubi.pt ESMTP 
Sendmail 8.14.3/8.14.3; Sat, 5 Jun 2010 14:00:41 +0100

2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): Authorized to host
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): Connected to host
2010.06.05 13:59:50 SMTP (mail.di.ubi.pt): [tx] MAIL FROM: <*****>
2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): Begin execution

2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): =========  Initial blob 
=========
2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): 
===================================

2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): Port: 995, Secure: SSL, SPA: no
2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): Finding host

2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): Connecting to host
2010.06.05 13:59:50 POP3 (pop.di.ubi.pt): Securing connection






--------------------------------------------------
From: "Dave Thompson" <dthomp...@prinpay.com>
Sent: Friday, June 11, 2010 2:16 AM
To: <openssl-users@openssl.org>
Subject: RE: openssl 1.0.0 issue with sendmail


From: owner-openssl-us...@openssl.org On Behalf Of David Carvalho
Sent: Wednesday, 09 June, 2010 06:06



I am having trouble since I replaced my e-mail server (hardware and

to Fedora 12).

Basically I'm using almost the same sendmail.mc file than in the

previous server

(running openssl  0.9.6, I think).



The problem is that Windows XP clients running Outlook, outlook

express or windows mail can not

relay, as they fail to STARTTLS. ...
In my previous server logs, I saw that the windows XP clients used

RC4-MD5 cipher, but now

I get
STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104,

retry=-1


5 is SSL_ERROR_SYSCALL -- an I/O operation (likely recv()) failed with 
that

errno.

On one Linux I have to hand 104 is ECONNRESET; I'm not sure it's the same 
on

(all)
others but that's certainly a likely I/O error on a socket. If so, either
the client
is failing or something in between like maybe a firewall is breaking your
connection.
There may be helpful log information on the client; see below. Or a net
monitor
like your ssldump below will show *when* in the protocol the problem
occurred.
(Normally I would also suggest s_server, but it doesn't do STARTTLS.)

and other times
STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0,
retry=-1
depending on wich client.

1 is SSL_ERROR_SSL which is either an actual error in the protocol or
an error reflected through the protocol i.e. a fatal alert; errno is
(usually) meaningless and the program should call SSL_print_errors[_fp]
or similar logic to get useful info. If it is not doing so and you can't
get it to (maybe some option, I don't know sendmail) monitor as above.


I've found some information confirming this issue with older Windows

at

http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html


See below.


From: owner-openssl-us...@openssl.org On Behalf Of David Carvalho
Sent: Wednesday, 09 June, 2010 07:37
Subject: openssl 1.0.0 issue with sendmail (ssldump output)



After installing ssldump, I could compare windows xp and windows 7

clients STARTTLS negotiation.


While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via

TLSv1/SSLv3


Windows XP output is



New TCP connection #1: 10.0.0.252(5000) <-> my.server (25)



1 1  0.0182 (0.0182)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites

<snipped; as per referenced website does not request AES suites>

1 2  0.0188 (0.0005)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]= <snipped>
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
1 3  0.0188 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0202 (0.0014)  S>C  Handshake1 5  0.0202 (0.0000)  S>C

Handshake1    0.0229 (0.0026)  C>S  TCP FIN

1    0.0230 (0.0001)  S>C  TCP FIN


Did you delete or suppress some details? After ServerHello server should
send
Certificate (partly shown), ServerKeyExchange and ServerHelloDone (not
show).
(Also CertRequest if you use client authentication aka client certs, but
it doesn't look you do and you certainy didn't say so.) At that point
this client apparently just closes the connection (C>S FIN then S>C FIN)
which is abnormal. Probably only the client can tell you why it did this.

Also, this doesn't show any STARTTLS; I don't know if ssldump doesn't
show pre-SSL traffic on a connection, or you suppressed it, or what.


New TCP connection #2: 10.0.0.252(1025) <-> my.server(25)
2    60.0266 (60.0266)  C>S  TCP FIN
2    60.0267 (0.0000)  S>C  TCP FIN



This is really strange -- it connects and then does nothing for 60 
seconds?

Either your monitor is missing some traffic, or this client is weird.


So how can I enable SSLv2 support ? Is it on openssl or sendmail ?


You shouldn't want or need SSLv2 *protocol*; it's obsolete and unsafe.
As the website you referenced explicitly says. The client in this case
is offering to negotiate up to 3.1 (which is TLS1.0). Don't be fooled
by the 'SSLv2 *compatible* hello'; that doesn't mean it wants v2.

The old *ciphersuites* are still available in SSL3/TLS unless you disable
them;
the discussion on that website about !SSLv2 in the cipherstring is exactly
that.
In this case the server agreed to an RC4-MD5 suite, as you say the XP
clients

previously liked. I think only the client can say what's going on here; 
see

below.

A thought: is the new server using the same (keypair&)cert as the old one?
If not, does the client need to be told to trust the new one? I'd guess
that Outlook etc. would use the same truststore as IE, but that's only
a guess. But if anything I would expect newer Windows' apps to be *more*
strict here not less; IE7 certainly is.

Googling found http://www.mofeel.net/448-comp-mail-sendmail/3469.aspx
which is almost the same symptom but traced to server using DSA cert
resulting
in selecting DHE-DSS-3DES which clearly is different than your case.
(And also that case did use ClientAuth.)

Also found advice to set 'Enable logging' under Tools / Options / Other /
Advanced
which according to the help goes to \D&S\user\Local Settings\Temp
(i.e. the standard or at least usual %temp% directory) as OPMLog.log .
I happen to have XPProSP3 and Outlook2003 to a non-SSL mailserver,
and that does log; I can't verify what it does for STARTTLS+SSL.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to