Two days ago I updated openssl 1.0.1f to 1.0.1g. Everything seamed to be
fine. But after a while an error popped up in sendmail log:
Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client, error: connect
failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1
Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client:
17568:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
decode error:s23_clnt.c:762:
Apr 10 10:13:45 mail sendmail[17568]: ruleset=tls_server, arg1=SOFTWARE,
relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.
The mail has not been delivered. Then I downgraded to 1.0.1f and the
mail has been sent with:
Apr 10 10:17:31 mail sendmail[31809]: STARTTLS=client,
relay=mail.example.com., version=TLSv1/SSLv3, verify=FAIL,
cipher=DHE-RSA-AES256-SHA, bits=256/256
It seams that there is another difference between the two openssl
versions then only the heartbleed bugfix.
Then I tried on both versions:
openssl s_client -starttls smtp -connect mail.example.com:25
Output of version 1.0.1g:
CONNECTED(00000003)
140370040759952:error:1407741A:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 131 bytes and written 552 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Output of version 1.0.1f (parts):
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Bruno, O = "IronPort
Systems, Inc.", CN = IronPort Appliance Demo Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = San Bruno, O = "IronPort
Systems, Inc.", CN = IronPort Appliance Demo Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=US/ST=California/L=San Bruno/O=IronPort Systems,
Inc./CN=IronPort Appliance Demo Certificate
i:/C=US/ST=California/L=San Bruno/O=IronPort Systems,
Inc./CN=IronPort Appliance Demo Certificate
Server certificate
---snipped---
No client certificate CA names sent
SSL handshake has read 1771 bytes and written 552 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
---Snipped---
I interpret, that the presented certificate from mail.example.com is one
not ment for productive usage...
Is there a way how I can handle such certificates with openssl 1.0.1g?
mail.example.com is one of several communication-partners which I have
problems with.
Thanks Teddy
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org