openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

Thu, 10 Apr 2014 09:44:36 -0700

Two days ago I updated openssl 1.0.1f to 1.0.1g. Everything seamed to be fine. But after a while an error popped up in sendmail log:
Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client, error: connect failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1 Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client: 17568:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: Apr 10 10:13:45 mail sendmail[17568]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed. 


The mail has not been delivered. Then I downgraded to 1.0.1f and the 
mail has been sent with:



Apr 10 10:17:31 mail sendmail[31809]: STARTTLS=client, 
relay=mail.example.com., version=TLSv1/SSLv3, verify=FAIL, 
cipher=DHE-RSA-AES256-SHA, bits=256/256



It seams that there is another difference between the two openssl 
versions then only the heartbleed bugfix.


Then I tried on both versions:

    openssl s_client -starttls smtp -connect mail.example.com:25

Output of version 1.0.1g:

    CONNECTED(00000003)

    140370040759952:error:1407741A:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762:

    no peer certificate available
    No client certificate CA names sent
    SSL handshake has read 131 bytes and written 552 bytes
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

Output of version 1.0.1f (parts):

    CONNECTED(00000003)

    depth=0 C = US, ST = California, L = San Bruno, O = "IronPort 
Systems, Inc.", CN = IronPort Appliance Demo Certificate

    verify error:num=20:unable to get local issuer certificate
    verify return:1

    depth=0 C = US, ST = California, L = San Bruno, O = "IronPort 
Systems, Inc.", CN = IronPort Appliance Demo Certificate

    verify error:num=21:unable to verify the first certificate
    verify return:1
    Certificate chain

    0 s:/C=US/ST=California/L=San Bruno/O=IronPort Systems, 
Inc./CN=IronPort Appliance Demo Certificate
    i:/C=US/ST=California/L=San Bruno/O=IronPort Systems, 
Inc./CN=IronPort Appliance Demo Certificate

    Server certificate
    ---snipped---
    No client certificate CA names sent
    SSL handshake has read 1771 bytes and written 552 bytes
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    ---Snipped---


I interpret, that the presented certificate from mail.example.com is one 
not ment for productive usage...



Is there a way how I can handle such certificates with openssl 1.0.1g? 
mail.example.com is one of several communication-partners which I have 
problems with.


Thanks Teddy
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to