On Thu, Apr 10, 2014 at 06:39:21PM +0200, Dominik Mahrer (Teddy) wrote:
[ The subject is a bit dramatic, Sendmail did not break, rather you're
experiencing interop issues with one site. ]
> Two days ago I updated openssl 1.0.1f to 1.0.1g. Everything seamed to be
> fine. But after a while an error popped up in sendmail log:
>
> Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client, error: connect
> failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1
The remote server sent a TLSv1 alert (50) "decode error". My best guess is
that the server in question has a problem with the TLS padding extension:
commit 51624dbdaed5325ac763e63dc5eb0b3ef85d6489
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Sat Apr 5 20:43:54 2014 +0100
Set TLS padding extension value.
Enable TLS padding extension using official value from:
http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-v
(cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)
This extension deals works around interoperability issues with F5
load balancers. Perhaps it introduces an interoperability issue
with Ironport appliances. Can you post the IP address of the target
system? Have you tried connecting with SSLv3 (disable TLSv1,
TLSv1.1 and TLSv1.2)? You can test with
$ openssl s_client -starttls smtp -ssl3 -connect host:25
> The mail has not been delivered. Then I downgraded to 1.0.1f and the mail
> has been sent with:
>
> Apr 10 10:17:31 mail sendmail[31809]: STARTTLS=client,
> relay=mail.example.com., version=TLSv1/SSLv3, verify=FAIL,
> cipher=DHE-RSA-AES256-SHA, bits=256/256
The padding extension is not available in 1.0.1f.
> Then I tried on both versions:
>
> openssl s_client -starttls smtp -connect mail.example.com:25
Try ssl3.
> depth=0 C = US, ST = California, L = San Bruno, O = "IronPort Systems,
> Inc.", CN = IronPort Appliance Demo Certificate
That's sad. The people should leave the "Demo" certificate in
place, still we learn its an Ironport. I would contact Cisco and
see whether they can help to isolate the issue. (I added a Cisco
Ironport engineer to the Bcc, perhaps he'll respond).
> Is there a way how I can handle such certificates with openssl 1.0.1g?
> mail.example.com is one of several communication-partners which I have
> problems with.
The problem is unrelated to the demo certificate.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
