Two days ago I updated openssl 1.0.1f to 1.0.1g. Everything seamed to be fine. But after a while an error popped up in sendmail log:

Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client, error: connect failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1 Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client: 17568:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: Apr 10 10:13:45 mail sendmail[17568]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.

The mail has not been delivered. Then I downgraded to 1.0.1f and the mail has been sent with:

Apr 10 10:17:31 mail sendmail[31809]: STARTTLS=client, relay=mail.example.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

It seams that there is another difference between the two openssl versions then only the heartbleed bugfix.

Then I tried on both versions:

    openssl s_client -starttls smtp -connect mail.example.com:25

Output of version 1.0.1g:

    CONNECTED(00000003)
140370040759952:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762:
    no peer certificate available
    No client certificate CA names sent
    SSL handshake has read 131 bytes and written 552 bytes
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

Output of version 1.0.1f (parts):

    CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Bruno, O = "IronPort Systems, Inc.", CN = IronPort Appliance Demo Certificate
    verify error:num=20:unable to get local issuer certificate
    verify return:1
depth=0 C = US, ST = California, L = San Bruno, O = "IronPort Systems, Inc.", CN = IronPort Appliance Demo Certificate
    verify error:num=21:unable to verify the first certificate
    verify return:1
    Certificate chain
0 s:/C=US/ST=California/L=San Bruno/O=IronPort Systems, Inc./CN=IronPort Appliance Demo Certificate i:/C=US/ST=California/L=San Bruno/O=IronPort Systems, Inc./CN=IronPort Appliance Demo Certificate
    Server certificate
    ---snipped---
    No client certificate CA names sent
    SSL handshake has read 1771 bytes and written 552 bytes
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    ---Snipped---

I interpret, that the presented certificate from mail.example.com is one not ment for productive usage...

Is there a way how I can handle such certificates with openssl 1.0.1g? mail.example.com is one of several communication-partners which I have problems with.

Thanks Teddy
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to